CN106464495A - Certificate acquisition method and device - Google Patents
Certificate acquisition method and device Download PDFInfo
- Publication number
- CN106464495A CN106464495A CN201580024220.0A CN201580024220A CN106464495A CN 106464495 A CN106464495 A CN 106464495A CN 201580024220 A CN201580024220 A CN 201580024220A CN 106464495 A CN106464495 A CN 106464495A
- Authority
- CN
- China
- Prior art keywords
- certificate
- vnf
- vnfc
- examples
- certificate request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 74
- OOXMVRVXLWBJKF-DUXPYHPUSA-N n-[3-[(e)-2-(5-nitrofuran-2-yl)ethenyl]-1,2,4-oxadiazol-5-yl]acetamide Chemical compound O1C(NC(=O)C)=NC(\C=C\C=2OC(=CC=2)[N+]([O-])=O)=N1 OOXMVRVXLWBJKF-DUXPYHPUSA-N 0.000 claims description 127
- 230000000977 initiatory effect Effects 0.000 claims description 69
- 230000005540 biological transmission Effects 0.000 claims description 48
- 238000012795 verification Methods 0.000 claims description 45
- 230000006870 function Effects 0.000 description 48
- 239000003795 chemical substances by application Substances 0.000 description 14
- 238000004891 communication Methods 0.000 description 13
- 238000004590 computer program Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000001010 compromised effect Effects 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000000052 comparative effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- ZYXYTGQFPZEUFX-UHFFFAOYSA-N benzpyrimoxan Chemical compound O1C(OCCC1)C=1C(=NC=NC=1)OCC1=CC=C(C=C1)C(F)(F)F ZYXYTGQFPZEUFX-UHFFFAOYSA-N 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a certificate acquisition method and device. Disclosed in the present invention are a certificate acquisition method and device, comprising: a control device receives a certificate request proxy message sent by a VNF/VNFC instance, said certificate request proxy message comprising authentication information and certificate request information used for requesting a certificate, the control device uses the authentication information to implement authentication of the VNF/VNFC instance, and when authentication is successful, sends a certificate request message to a CA, said certificate request message comprising certificate request information used for requesting a certificate; the control device receives a certificate issued by the CA, and sends same to the VNF/VNFC instance. Thus, an instantiated VNF/VNFC instance requests, by means of a trusted link between a control device and a certificate authentication centre, a certificate issued by the certificate authentication centre, thereby effectively ensuring the validity of the VNF/VNFC instance certificate request, and ensuring, by means of the certificate issued by the certificate authentication centre, the security of a management channel established between the VNF/VNFC instance and the control device.
Description
The present invention relates to the deployment field of virtual network, more particularly to a kind of certificate acquisition method and apparatus.
Network function virtualization (Network Function Virtualization, NFV) is for the purpose of " conventional network virtualization " and the normal structure of establishment, has formulated a standard for being enclosed on on-premise network under virtualized environment.The standard organized to set up by NFV, it is possible to achieve the ability such as the virtualization of network and flexible deployment.
The virtual network framework that NFV is formulated is contained:Element management system (Element Management System, EMS), NFV composers (NFV Orchestra, NFVO), network function ((the Virtual Network Function of virtualization, VNF) example, VNF managers (VNF Manager, VNFM), NFV infrastructure (Network Function Virtual Infrastructure, NFVI Virtual base facility (Virtual Infrastructure Manager, VIM)), is managed in VNF frameworks.
Wherein, EMS, i.e. conventional network elements management equipment, are managed for will instantiate obtained VNF examples as a network element;NFVO, for layout VNF;VNF examples, that is, run the virtualization network element of network function;VNFM, for managing VNF;NFVI contains computing resource, the storage resource of virtualization, the Internet resources of virtualization of virtualization etc.;VIM, for the instruction according to NFVO and VNFM, is managed to NFVI.
EMS or VNFM realizes the management to VNF by setting up management passage between VNF.In order to prevent malicious user attacking network, when setting up management passage between EMS or VNFM and VNF, both sides are needed to carry out authentication, it is general that authentication is carried out using Transport Layer Security technology (i.e. certificate verification mode), that is, using certificate as the voucher of authentication, both sides' authentication operation is performed.
But in legacy network, the mode of certificate acquisition is including but not limited to following two:
First way:
Manual lead-in mode or import when initially being installed by hardware, software one with the beginning of hardware binding
Beginning certificate, the certification certificate needed is being obtained using initial certificate by certificate management protocol.
But, in NFV standards, VNF is automatically generated on VM, it is impossible to obtain certificate by first way, that is, make it that the security that management passage is set up between EMS or VNFM and VNF is poor.
The second way:
When network element is generated, by the certificate of a network element manufacturer built-in manufacturer in network elements, so that network element is when being initially configured, using public key systems (Public Key Infrastructure from certificate management protocol to operator, PKI) the certificate that application operator signs and issues, in application credentialing process, network element uses manufacturer's certificate as the identity documents of oneself so that PKI trusts the network element and signs and issues the certificate of operator.
But, in virtualized environment, VNF dynamic generations, therefore can not be by second way application certificate, that is, make it that the security that management passage is set up between EMS or VNFM and VNF is poor.
The content of the invention
In view of this, the embodiments of the invention provide a kind of certificate acquisition method and apparatus, the problem of security for setting up management passage between the EMS or VNFM and VNF of solution presence is poor.
First aspect there is provided a kind of certificate acquisition equipment, including:
Receiving module, certificate request proxy message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is used to set up agent application certificate passage between the VNF/VNFC examples and control device;
Sending module, for being verified using the checking information to the VNF/VNFC examples, and when being verified, certificate request message is sent to certificate verification center CA, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
The receiving module, is additionally operable to receive the certificate that the CA is signed and issued;
The sending module, is additionally operable to the certificate being sent to the VNF/VNFC examples, wherein, the certificate is that the certificate request information that the CA is used to apply certificate according to being included in the certificate request message is generated.
With reference in a first aspect, in the first possible embodiment of first aspect, the checking information
During for temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to first aspect, in second of possible embodiment of first aspect, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to second of possible embodiment of first aspect, in the third possible embodiment of first aspect, the pre-share information at least includes following one kind:
Wildcard PSK, username and password Password, token token.
With reference to first aspect, or combine the first possible embodiment of first aspect, or combine second of possible embodiment of first aspect, or combine the third possible embodiment of first aspect, in the 4th kind of possible embodiment of first aspect, the control device is virtualization network function management equipment VNFM.
With reference to first aspect, or combine the first possible embodiment of first aspect, or combine second of possible embodiment of first aspect, or combine the third possible embodiment of first aspect, in the 5th kind of possible embodiment of first aspect, when the control device is virtualization network arrangements device NFVO, the receiving module, specifically for receiving the certificate request proxy message that virtualization network function management equipment VNFM is sent, wherein, the certificate request proxy message is sent by VNF/VNFC examples, and obtained through VNFM forwardings.
With reference in a first aspect, either combining the first possible embodiment of first aspect or combining
Second of possible embodiment of first aspect, or combine the third possible embodiment of first aspect, or combine the 4th kind of possible embodiment of first aspect, or combine the 5th kind of possible embodiment of first aspect, in the 6th kind of possible embodiment of first aspect, the certificate acquisition equipment also includes:
Path setup module, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
With reference to first aspect, or combine the first possible embodiment of first aspect, or combine second of possible embodiment of first aspect, or combine the third possible embodiment of first aspect, or combine the 4th kind of possible embodiment of first aspect, or combine the 5th kind of possible embodiment of first aspect, or combine the 6th kind of possible embodiment of first aspect, in the 7th kind of possible embodiment of first aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Second aspect there is provided a kind of certificate acquisition equipment, including:
Receiving module, Virtual base facility VIM transmission certificate request proxy messages are managed in VNF frameworks for receiving, wherein, the VNF comprising request application certificate in the certificate request proxy message is identified and is identified the certificate request information that corresponding VNF applies for certificate for the VNF;Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate;
Sending module, for sending certificate request message to certificate verification center CA, wherein, the certificate request information VNF/VNFC examples for applying for certificate is included in the certificate request message;
The receiving module, is additionally operable to receive the certificate that the CA is signed and issued;
The sending module, is additionally operable to the certificate being sent to the VIM, wherein, the certificate is that the CA is used to apply for that the certificate request information of certificate is generated according to the VNF/VNFC examples included in the certificate request information.
With reference to second aspect, in the first possible embodiment of second aspect, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate
Application information is obtained by the VNF/VNFC examples according to initiation parameter, and is sent to the VM by the VNF/VNFC examples, then by the escape way between the VIM is sent to the VIM's by the VM.
With reference to second aspect, in second of possible embodiment of second aspect, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the NFV infrastructure NFVI is sent to by the VNF/VNFC examples, then it is sent to the VIM's by the escape way between the NFVI and the VIM.
With reference to second aspect, or combine the first possible embodiment of second aspect, or combine second of possible embodiment of second aspect, in the third possible embodiment of second aspect, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained when being determined by virtualization network arrangements device NFVO or VNFM and instantiated the VNF/VNFC examples.
With reference to second aspect, or combine the first possible embodiment of second aspect, or combine second of possible embodiment of second aspect, or combine the third possible embodiment of second aspect, in the 4th kind of possible embodiment of second aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
The third aspect there is provided a kind of certificate acquisition equipment, including:
Receiving module, for receiving the certificate request message that virtualization network function VNF/VNFC examples are sent, wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials is applied when determining to need to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO/ virtualizations network function management equipment VNFM from the CA, or the NFVO determines what is applied when needing to instantiate the VNF/VNFC examples from the VNFM, and via management Virtual base facility VIM in VNF frameworks, NFV infrastructure NFVI injects the virtual machine VM that the VNF/VNFC examples are entered;
Sign and issue module, for being authenticated using the temporary credentials to the VNF/VNFC examples, and certification by when, according to included in the certificate request message be used for apply certificate certificate request believe
Breath, grant a certificate gives the VNF/VNFC examples.
Fourth aspect there is provided a kind of certificate acquisition equipment, including:
Receiving module, the certificate request message for receiving virtual machine VM transmissions, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
Sending module, for sending certificate request proxy message to certificate verification center CA, wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message;
The receiving module, for receiving the certificate that the CA is signed and issued;
The sending module, for the certificate to be sent into the VM, wherein, the certificate is by the CA according to being used to apply for that the certificate request information of certificate is obtained comprising the VM in the certificate request proxy message.
With reference to fourth aspect, in the first possible embodiment of fourth aspect, the sending module, sends certificate request proxy message, and the certificate request proxy message is forwarded into the CA by the VIM specifically for managing Virtual base facility VIM into virtual network function framework.
With reference to fourth aspect, or the first possible embodiment of fourth aspect is combined, in second of possible embodiment of fourth aspect, the certificate acquisition equipment also includes:
Path setup module, for when the VM receives the certificate, the management passage set up between the VM and the VM management equipment.
With reference to fourth aspect, either combine the first possible embodiment of fourth aspect or combine second of possible embodiment of fourth aspect, in the third possible embodiment of fourth aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
With reference to the third possible embodiment of fourth aspect, in the 4th kind of possible embodiment of fourth aspect, the public key is generated by the VM according to initiation parameter, wherein, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained by VIM when receiving the generation VM of virtualization network arrangements device NFVO transmissions.
There is provided a kind of certificate acquisition equipment in terms of 5th, including:
Receiving module, the certificate request message for receiving the transmission of VNF/VNFC examples, wherein, it is described
Checking information and the certificate request information for applying for certificate are included in certificate request message, the checking information is used for described set up between VNF/VNFC examples and control device and applies for certificate passage;
Sending module, for being verified using the checking information received to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
With reference to the 5th aspect, in the first possible embodiment of the 5th aspect, when the checking information is temporary credentials, temporary credentials application from VNFM when it is determined that needing to instantiate the VNF/VNFC examples by NFVO, and inject the VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to the 5th aspect, in second of possible embodiment of the 5th aspect, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to second of possible embodiment of the 5th aspect, in the third possible embodiment of the 5th aspect, the pre-share information at least includes following one kind:
Wildcard PSK, username and password Password, token token.
With reference to the 5th aspect, or combine the first possible embodiment of the 5th aspect, or combine second of possible embodiment of the 5th aspect, or combine the third possible embodiment of the 5th aspect, in the 4th kind of possible embodiment of the 5th aspect, the control device is virtualization network function management equipment VNFM.
With reference to the 5th aspect, either combine the first possible embodiment in terms of the 5th or combine second of possible embodiment of the 5th aspect, or combine the third possible implementation of the 5th aspect
Mode, in the 5th kind of possible embodiment of the 5th aspect, when the control device is virtualization network arrangements device NFVO, the receiving module, specifically for receiving the certificate request message that virtualization network function management equipment VNFM is sent, wherein, the certificate request message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
With reference to the 5th aspect, or combine the first possible embodiment of the 5th aspect, or combine second of possible embodiment of the 5th aspect, or combine the third possible embodiment of the 5th aspect, either combine the 4th kind of possible embodiment of the 5th aspect or combine the 5th kind of possible embodiment of the 5th aspect, in the 6th kind of possible embodiment of the 5th aspect, the certificate acquisition equipment, in addition to:
Path setup module, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
With reference to the 5th aspect, or combine the first possible embodiment of the 5th aspect, or combine second of possible embodiment of the 5th aspect, or combine the third possible embodiment of the 5th aspect, or combine the 4th kind of possible embodiment of the 5th aspect, or combine the 5th kind of possible embodiment of the 5th aspect, or combine the 6th kind of possible embodiment of the 5th aspect, in the 7th kind of possible embodiment of the 5th aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
With reference to the 6th aspect there is provided a kind of certificate acquisition equipment, including:
Signal receiver, certificate request proxy message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is used to set up agent application certificate passage between the VNF/VNFC examples and control device;
Signal projector, for being verified using the checking information to the VNF/VNFC examples, and when being verified, certificate request message is sent to certificate verification center CA, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
The signal receiver, is additionally operable to receive the certificate that the CA is signed and issued;
The signal projector, is additionally operable to the certificate being sent to the VNF/VNFC examples, wherein, the certificate is that the certificate request information that the CA is used to apply certificate according to being included in the certificate request message is generated.
With reference to the 6th aspect, in the first possible embodiment of the 6th aspect, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to the 6th aspect, in second of possible embodiment of the 6th aspect, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to second of possible embodiment of the 6th aspect, in the third possible embodiment of the 6th aspect, the pre-share information at least includes following one kind:
Wildcard PSK, username and password Password, token token.
With reference to the 6th aspect, or combine the first possible embodiment of the 6th aspect, or combine second of possible embodiment of the 6th aspect, or combine the third possible embodiment of the 6th aspect, in the 4th kind of possible embodiment of the 6th aspect, the control device is virtualization network function management equipment VNFM.
With reference to the 6th aspect, or combine the first possible embodiment of the 6th aspect, or combine second of possible embodiment of the 6th aspect, or combine the third possible embodiment of the 6th aspect, in the 5th kind of possible embodiment of the 6th aspect, when the control device is virtualization work(
During energy network arrangements device NFVO, the signal receiver, specifically for receiving the certificate request proxy message that virtualization network function management equipment VNFM is sent, wherein, the certificate request proxy message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
With reference to the 6th aspect, or combine the first possible embodiment of the 6th aspect, or combine second of possible embodiment of the 6th aspect, or combine the third possible embodiment of the 6th aspect, or combine the 4th kind of possible embodiment of the 6th aspect, or the 5th kind of possible embodiment of the 6th aspect is combined, in the 6th kind of possible embodiment of the 6th aspect, the certificate processing equipment also includes:Processor, wherein:
The processor, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
With reference to the 6th aspect, or combine the first possible embodiment of the 6th aspect, or combine second of possible embodiment of the 6th aspect, or combine the third possible embodiment of the 6th aspect, or combine the 4th kind of possible embodiment of the 6th aspect, or combine the 5th kind of possible embodiment of the 6th aspect, or combine the 6th kind of possible embodiment of the 6th aspect, in the 7th kind of possible embodiment of the 6th aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
There is provided a kind of certificate acquisition equipment in terms of 7th, including:
Signal receiver, Virtual base facility VIM transmission certificate request proxy messages are managed in VNF frameworks for receiving, wherein, the VNF comprising request application certificate in the certificate request proxy message is identified and is identified the certificate request information that corresponding VNF applies for certificate for the VNF;Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate;
Signal projector, for sending certificate request message to certificate verification center CA, wherein, the certificate request information VNF/VNFC examples for applying for certificate is included in the certificate request message;
The signal receiver, is additionally operable to receive the certificate that the CA is signed and issued;
The signal projector, is additionally operable to the certificate being sent to the VIM, wherein, the certificate
It is that the CA is used to apply for that the certificate request information of certificate is generated according to the VNF/VNFC examples included in the certificate request information.
With reference to the 7th aspect, in the first possible embodiment of the 7th aspect, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the VM is sent to by the VNF/VNFC examples, then by the escape way between the VIM it is sent to the VIM's by the VM.
With reference to the 7th aspect, in second of possible embodiment of the 7th aspect, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the NFV infrastructure NFVI is sent to by the VNF/VNFC examples, then it is sent to the VIM's by the escape way between the NFVI and the VIM.
With reference to the 7th aspect, or combine the first possible embodiment of the 7th aspect, or combine second of possible embodiment of the 7th aspect, in the third possible embodiment of the 7th aspect, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained when being determined by virtualization network arrangements device NFVO or VNFM and instantiated the VNF/VNFC examples.
With reference to the 7th aspect, or combine the first possible embodiment of the 7th aspect, or combine second of possible embodiment of the 7th aspect, or combine the third possible embodiment of the 7th aspect, in the 4th kind of possible embodiment of the 7th aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Eighth aspect there is provided a kind of certificate acquisition equipment, including:
Signal receiver, for receiving the certificate request message that virtualization network function VNF/VNFC examples are sent, wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials is applied when determining to need to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO/ virtualizations network function management equipment VNFM from the CA, or the NFVO determines what is applied when needing to instantiate the VNF/VNFC examples from the VNFM
And inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Processor, for being authenticated using the temporary credentials to the VNF/VNFC examples, and certification by when, the certificate request information of certificate is applied for according to being used for of being included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
There is provided a kind of certificate acquisition equipment in terms of 9th, including:
Signal receiver, the certificate request message for receiving virtual machine VM transmissions, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
Signal projector, for sending certificate request proxy message to certificate verification center CA, wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message;
The signal receiver, is additionally operable to receive the certificate that the CA is signed and issued;
The signal projector, is additionally operable to the certificate being sent to the VM, wherein, the certificate is by the CA according to being used to apply for that the certificate request information of certificate is obtained comprising the VM in the certificate request proxy message.
With reference to the 9th aspect, in the first possible embodiment of the 9th aspect, the signal projector, sends certificate request proxy message, and the certificate request proxy message is forwarded into the CA by the VIM specifically for managing Virtual base facility VIM into virtual network function framework.
With reference to the 9th aspect, or the first possible embodiment of the 9th aspect is combined, in second of possible embodiment of the 9th aspect, the certificate acquisition equipment also includes:Processor, wherein:
Processor, for when the VM receives the certificate, the management passage set up between the VM and the VM management equipment.
With reference to the 9th aspect, either combine the first possible embodiment of the 9th aspect or combine second of possible embodiment of the 9th aspect, in the third possible embodiment of the 9th aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
With reference to the third possible embodiment of the 9th aspect, in the 4th kind of possible embodiment of the 9th aspect, the public key is generated by the VM according to initiation parameter, wherein, the initialization ginseng
Number includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained by VIM when receiving the generation VM of virtualization network arrangements device NFVO transmissions.
There is provided a kind of certificate acquisition equipment in terms of tenth, including:
Signal receiver, certificate request message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request message, the checking information is used for described set up between VNF/VNFC examples and control device and applies for certificate passage;
Signal projector, for being verified using the checking information received to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
With reference to the tenth aspect, in the first possible embodiment of the tenth aspect, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to the tenth aspect, in second of possible embodiment of the tenth aspect, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to second of possible embodiment of the tenth aspect, in the third possible embodiment of the tenth aspect, the pre-share information at least includes following one kind:
Wildcard PSK, username and password Password, token token.
With reference to the tenth aspect, either combine the first possible embodiment of the tenth aspect or combine
Second of possible embodiment of the tenth aspect, or the third possible embodiment of the tenth aspect is combined, in the 4th kind of possible embodiment of the tenth aspect, the control device is virtualization network function management equipment VNFM.
With reference to the tenth aspect, or combine the first possible embodiment of the tenth aspect, or combine second of possible embodiment of the tenth aspect, or combine the third possible embodiment of the tenth aspect, in the 5th kind of possible embodiment of the tenth aspect, when the control device is virtualization network arrangements device NFVO, the receiving module, specifically for receiving the certificate request message that virtualization network function management equipment VNFM is sent, wherein, the certificate request message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
With reference to the tenth aspect, or combine the first possible embodiment of the tenth aspect, or combine second of possible embodiment of the tenth aspect, or combine the third possible embodiment of the tenth aspect, either combine the 4th kind of possible embodiment of the tenth aspect or combine the 5th kind of possible embodiment of the tenth aspect, in the 6th kind of possible embodiment of the tenth aspect, the certificate acquisition equipment, in addition to:Processor, wherein:
Processor, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
With reference to the tenth aspect, or combine the first possible embodiment of the tenth aspect, or combine second of possible embodiment of the tenth aspect, or combine the third possible embodiment of the tenth aspect, or combine the 4th kind of possible embodiment of the tenth aspect, or combine the 5th kind of possible embodiment of the tenth aspect, or combine the 6th kind of possible embodiment of the tenth aspect, in the 7th kind of possible embodiment of the tenth aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Tenth one side there is provided a kind of certificate acquisition method, including:
Control device receives the certificate request proxy message that VNF/VNFC examples are sent, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is led to for setting up agent application certificate between the VNF/VNFC examples and the control device
Road;
The control device is verified using the checking information to the VNF/VNFC examples, and when being verified, certificate request message is sent to certificate verification center CA, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
The control device receives the certificate that the CA is signed and issued, and the certificate is sent into the VNF/VNFC examples, wherein, the certificate is that the certificate request information that the CA is used to apply certificate according to being included in the certificate request message is generated.
With reference to the tenth on the one hand, in the first possible embodiment of the tenth one side, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to the tenth on the one hand, in second of possible embodiment of the tenth one side, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to second of possible embodiment of the tenth one side, in the third possible embodiment of the tenth one side, the pre-share information at least includes following one kind:
Wildcard PSK, username and password Password, token token.
With reference to the tenth on the one hand, or combine the first possible embodiment of the tenth one side, or combine second of possible embodiment of the tenth one side, or combine the third possible embodiment of the tenth one side, in the 4th kind of possible embodiment of the tenth one side, the control device is
Virtualize network function management equipment VNFM.
With reference to the tenth on the one hand, or combine the first possible embodiment of the tenth one side, or combine second of possible embodiment of the tenth one side, or combine the third possible embodiment of the tenth one side, in the 5th kind of possible embodiment of the tenth one side, when the control device is virtualization network arrangements device NFVO, control device receives the certificate request proxy message that VNF/VNFC examples are sent, including:
The NFVO receives the certificate request proxy message that virtualization network function management equipment VNFM is sent, wherein, the certificate request proxy message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
With reference to the tenth on the one hand, or combine the first possible embodiment of the tenth one side, or combine second of possible embodiment of the tenth one side, or combine the third possible embodiment of the tenth one side, or combine the 4th kind of possible embodiment of the tenth one side, or the 5th kind of possible embodiment of the tenth one side is combined, in the 6th kind of possible embodiment of the tenth one side, methods described also includes:
The control device by the certificate when being sent to the VNF/VNFC examples, the management passage set up using the certificate between the VNF/VNFC examples.
With reference to the tenth on the one hand, or combine the first possible embodiment of the tenth one side, or combine second of possible embodiment of the tenth one side, or combine the third possible embodiment of the tenth one side, or combine the 4th kind of possible embodiment of the tenth one side, or combine the 5th kind of possible embodiment of the tenth one side, or combine the 6th kind of possible embodiment of the tenth one side, in the 7th kind of possible embodiment of the tenth one side, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
There is provided a kind of certificate acquisition method in terms of 12nd, including:
Virtualize network function VNF management equipments VNFM and receive management Virtual base facility VIM transmission certificate request proxy messages in VNF frameworks, wherein, the VNF marks comprising request application certificate in the certificate request proxy message and the certificate request letter for the corresponding VNF applications certificate of VNF marks
Breath;Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate;
The VNFM sends certificate request message to certificate verification center CA, wherein, the certificate request information VNF/VNFC examples for applying for certificate is included in the certificate request message;
The VNFM receives the certificate that the CA is signed and issued, and the certificate is sent into the VIM, wherein, the certificate is that the CA is used to apply for that the certificate request information of certificate is generated according to the VNF/VNFC examples included in the certificate request information.
With reference to the 12nd aspect, in the first possible embodiment of the 12nd aspect, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the VM is sent to by the VNF/VNFC examples, then by the escape way between the VIM it is sent to the VIM's by the VM.
With reference to the 12nd aspect, in second of possible embodiment of the 12nd aspect, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the NFV infrastructure NFVI is sent to by the VNF/VNFC examples, then it is sent to the VIM's by the escape way between the NFVI and the VIM.
With reference to the 12nd aspect, or combine the first possible embodiment of the 12nd aspect, or combine second of possible embodiment of the 12nd aspect, in the third possible embodiment of the 12nd aspect, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained when being determined by virtualization network arrangements device NFVO or VNFM and instantiated the VNF/VNFC examples.
With reference to the 12nd aspect, or combine the first possible embodiment of the 12nd aspect, or combine second of possible embodiment of the 12nd aspect, or combine the third possible embodiment of the 12nd aspect, in the 4th kind of possible embodiment of the 12nd aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
There is provided a kind of certificate acquisition method in terms of 13rd, including:
Certificate verification center CA receives the certificate request message that virtualization network function VNF/VNFC examples are sent, wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials is applied when determining to need to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO/ virtualizations network function management equipment VNFM from the CA, or the NFVO determines what is applied when needing to instantiate the VNF/VNFC examples from the VNFM, and via management Virtual base facility VIM in VNF frameworks, NFV infrastructure NFVI injects the virtual machine VM that the VNF/VNFC examples are entered;
The CA is authenticated using the temporary credentials to the VNF/VNFC examples, and certification by when, the certificate request information of certificate is applied for according to being used for of being included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
Fourteenth aspect there is provided a kind of certificate acquisition method, including:
Virtual network function infrastructure device NFVI receives the certificate request message that virtual machine VM is sent, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
The NFVI sends certificate request proxy message to certificate verification center CA, wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message;
The NFVI receives the certificate that the CA is signed and issued, and the certificate is sent into the VM, wherein, the certificate is by the CA according to being used to applying what the certificate request information of certificate was obtained comprising the VM in the certificate request proxy message.
With reference to fourteenth aspect, in the first possible embodiment of fourteenth aspect, the NFVI sends certificate request proxy message to CA, including:
The NFVI manages Virtual base facility VIM into virtual network function framework and sends certificate request proxy message, and the certificate request proxy message is forwarded into CA by the VIM.
With reference to fourteenth aspect, or the first possible embodiment of fourteenth aspect is combined, in second of possible embodiment of fourteenth aspect, methods described also includes:
When the VM receives the certificate, the management passage set up between the VM and the VM management equipment.
With reference to fourteenth aspect, either combine the first possible embodiment of fourteenth aspect or combine second of possible embodiment of fourteenth aspect, in the third possible embodiment of fourteenth aspect, described certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
With reference to the third possible embodiment of fourteenth aspect, in the 4th kind of possible embodiment of fourteenth aspect, the public key is generated by the VM according to initiation parameter, wherein, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained by VIM when receiving the generation VM of virtualization network arrangements device NFVO transmissions.
There is provided a kind of certificate acquisition method in terms of 15th, including:
Control device receives the certificate request message that VNF/VNFC examples are sent, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request message, the checking information is used for described set up between VNF/VNFC examples and the control device and applies for certificate passage;
The control device is verified using the checking information received to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
With reference to the 15th aspect, in the first possible embodiment of the 15th aspect, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to the 15th aspect, in second of possible embodiment of the 15th aspect, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
With reference to second of possible embodiment of the 15th aspect, in the third possible embodiment of the 15th aspect, the pre-share information at least includes following one kind:
Wildcard PSK, username and password Password, token token.
With reference to the 15th aspect, or combine the first possible embodiment of the 15th aspect, or combine second of possible embodiment of the 15th aspect, or combine the third possible embodiment of the 15th aspect, in the 4th kind of possible embodiment of the 15th aspect, the control device is virtualization network function management equipment VNFM.
With reference to the 15th aspect, or combine the first possible embodiment of the 15th aspect, or combine second of possible embodiment of the 15th aspect, or combine the third possible embodiment of the 15th aspect, in the 5th kind of possible embodiment of the 15th aspect, when the control device is virtualization network arrangements device NFVO, control device receives the certificate request message that VNF/VNFC examples are sent, including:
The NFVO receives the certificate request message that virtualization network function management equipment VNFM is sent, wherein, the certificate request message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
With reference to the 15th aspect, or combine the first possible embodiment of the 15th aspect, or combine second of possible embodiment of the 15th aspect, or combine the third possible embodiment of the 15th aspect, or combine the 4th kind of possible embodiment of the 15th aspect, or the 5th kind of possible embodiment of the 15th aspect is combined, in the 6th kind of possible embodiment of the 15th aspect, methods described also includes:
The control device by the certificate when being sent to the VNF/VNFC examples, the management passage set up using the certificate between the VNF/VNFC examples.
With reference to the 15th aspect, or combine the first possible embodiment of the 15th aspect, or combine second of possible embodiment of the 15th aspect, or combine the third possible embodiment of the 15th aspect, or combine the 4th kind of possible embodiment of the 15th aspect, either combine the 5th kind of possible embodiment of the 15th aspect or combine the 6th kind of possible reality of the 15th aspect
Mode is applied, in the 7th kind of possible embodiment of the 15th aspect, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Control device of the embodiment of the present invention receives VNF/VNFC examples and sends certificate request proxy message, checking information and the certificate request information for applying for certificate are included in certificate request proxy message, checking information is used to set up agent application certificate passage between VNF/VNFC examples and control device;Control device is verified using checking information to VNF/VNFC examples, and when being verified, the certificate request information for being included in certificate request message, certificate request message and being used for applying for certificate is sent to CA;Control device receives the certificate that CA is signed and issued, and send the certificate to VNF/VNFC examples, so, the certificate that the VNF/VNFC examples of instantiation are signed and issued by the trust link application certificate verification center between control device and certificate verification center, the legitimacy of VNF/VNFC example application certificates is effectively ensured, it is ensured that the certificate signed and issued between VNF/VNFC examples and control device by certificate verification center sets up the security of management passage.
Technical scheme in order to illustrate the embodiments of the present invention more clearly, the accompanying drawing used required in being described below to embodiment is briefly introduced, apparently, drawings in the following description are only some embodiments of the present invention, for one of ordinary skill in the art, without having to pay creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of schematic flow sheet for certificate acquisition method that the embodiment of the present invention one is provided;
Fig. 2 is a kind of schematic flow sheet for certificate acquisition method that the embodiment of the present invention two is provided;
Fig. 3 is a kind of schematic flow sheet for certificate acquisition method that the embodiment of the present invention three is provided;
Fig. 4 is a kind of schematic flow sheet for certificate acquisition method that the embodiment of the present invention four is provided;
Fig. 5 is a kind of schematic flow sheet for certificate acquisition method that the embodiment of the present invention five is provided;
Fig. 6 is a kind of schematic flow sheet of certificate acquisition method;
Fig. 7 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention six is provided;
Fig. 8 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention seven is provided;
Fig. 9 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention eight is provided;
Figure 10 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention nine is provided;
Figure 11 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention ten is provided;
Figure 12 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 11 is provided;
Figure 13 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 12 is provided;
Figure 14 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 13 is provided;
Figure 15 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 14 is provided;
Figure 16 is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 15 is provided.
In order to realize the purpose of the present invention, the embodiments of the invention provide a kind of acquisition methods of certificate and equipment, control device receives VNF/VNFC examples and sends certificate request proxy message, checking information and the certificate request information for applying for certificate are included in certificate request proxy message, checking information is used to set up agent application certificate passage between VNF/VNFC examples and control device;Control device is verified using checking information to VNF/VNFC examples, and when being verified, the certificate request information for being included in certificate request message, certificate request message and being used for applying for certificate is sent to CA;Control device receives the certificate that CA is signed and issued, and send the certificate to VNF/VNFC examples, so, the certificate that the VNF/VNFC examples of instantiation are signed and issued by the trust link application certificate verification center between control device and certificate verification center, the legitimacy of VNF/VNFC example application certificates is effectively ensured, it is ensured that the certificate signed and issued between VNF/VNFC examples and control device by certificate verification center sets up the security of management passage.
It should be noted that, because VNF is completed after instantiating, belong to a new Virtual NE, not yet set up trust link with other network elements in virtual network, and with certificate verification center (Certificate Authority, CA), belong to distrust network element each other, therefore, it is impossible to directly apply for certificate at CA, the embodiment of the present invention is by way of certificate request is acted on behalf of so that VNF applies to legal certificate at CA.
Each embodiment of the invention is described in detail with reference to Figure of description.
Embodiment one:
As shown in figure 1, a kind of schematic flow sheet of the certificate acquisition method provided for the embodiment of the present invention one.
Methods described can be as described below.
Step 101:Control device receives the certificate request proxy message that VNF is sent.
Wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is used to set up agent application certificate passage between the VNF and the control device.
In addition, the certificate request proxy message that control device is received can also be by virtual network function component (English:Virtual Network Function Component;Abbreviation:VNFC) example is sent.
If it should be noted that certificate request information is sent by VNF, then at least one of corresponding public key, certificate format, domain name, certificate verification central information in the public private key pair that certificate request packet is generated containing VNF;If certificate request information is sent by VNFC examples, then at least one of corresponding public key, certificate format, domain name, certificate verification central information in the public private key pair of certificate request packet example containing VNFC generation.
Control device mentioned here can be VNFM or NFVO, not limit here.
If control device is VNFM, VNFM directly receives the certificate request proxy message of VNF transmissions;If control device is NFVO, NFVO receives the certificate request proxy message that VNFM is sent, wherein, the certificate request proxy message is sent by VNF, and is obtained through VNFM forwardings.
In a step 101, in virtual network, after the completion of VNF/VNFC instantiations, in order to ensure the security that is communicated between VNF/VNFC examples and other network elements or Virtual NE is, it is necessary to be VNF/VNFC example application certificates.
Specifically, control device is when receiving instantiation VNF/VNFC instructions, it is determined that being subsequently used for setting up the checking information of agent application certificate passage between the VNF/VNFC examples and control device, and the checking information carrying of determination is sent to VIM in instantiation VNF/VNFC instructions, VNF/VNFC instructions will be instantiated by VIM and be sent to NFVI, request NFVI is the VNF/VNFC example allocation VM, completes VNF/VNFC instantiations.
NFVI is the VNF/VNFC example allocations VM and completed after VNF/VNFC instantiations, and the checking information for instantiating the determination carried in VNF/VNFC instructions is injected into the VNF/VNFC examples and enters (English:Host VM).
It should be noted that checking information mentioned here can also be referred to as initial trust shape information.
Alternatively, the form of checking information includes but is not limited to following form:
The first situation:
The checking information is temporary credentials.
Explanation is needed exist for, temporary credentials can be to be signed using the corresponding private key of temporary credentials.
Wherein, apply when the temporary credentials determines to need to instantiate the VNF/VNFC examples by NFVO from the VNFM, and inject the VM's that the VNF/VNFC examples are entered via VIM, NFVI.
Or, the temporary credentials determines by VNFM and needs and instantiate the VNF/VNFC examples that when generates, and injects the VM's that the VNF/VNFC examples are entered via VIM, NFVI.
It should be noted that, NFVO determines the temporary credentials for applying obtaining from the VNFM when needing to instantiate the VNF/VNFC, or VNFM determines to generate temporary credentials by particular form when needing to instantiate the VNF/VNFC, and be only capable of being trusted by VNFM by the temporary credentials that VNFM is generated, other network elements in virtual network can not trust the temporary credentials.
For example:VNFM by particular form (for example:Use the public key signature that specific private key is VNF/VNFC examples) temporary credentials is obtained, and temporary credentials is only capable of being trusted by VNFM, other network elements distrust the temporary credentials.
Alternatively, apply when the temporary credentials determines to need to instantiate the VNF/VNFC by NFVO from CA, and the VM that the VNF/VNFC is entered is injected via VIM, NFVI;
Or, apply when the temporary credentials determines to need to instantiate the VNF/VNFC by VNFM from CA, and the VM that the VNF/VNFC is entered is injected via VIM, NFVI.
NFVO/VNFM applies for that the premise of temporary credentials is from CA when determining to need to instantiate the VNF/VNFC examples:
CA by particular form (for example:Use the public key signature that specific private key is VNF/VNFC examples) temporary credentials is obtained, and temporary credentials is only capable of being trusted by CA, other network elements distrust the temporary credentials.
Between NFVO/VNFM, VIM and NFVI when transmitting temporary credentials, in addition it is also necessary to transmit and face
When the corresponding private key of certificate, but private key is transmitted between multiple network elements, there is security risk, therefore, in the present embodiment needs to ensure the communication security between NFVO/VNFM, VIM and NFVI, not compromised with the corresponding private key of the temporary credentials for ensureing the VNF/VNFC.Temporary credentials is only capable of, using once, to prevent from occurring during being used for multiple times the risk that the corresponding private key of temporary credentials is obtained by malice network element, being further ensured that the security communicated between the network element of each in virtual network in the present embodiment simultaneously.
Second case:
The checking information is pre-share information.
Wherein, the pre-share information at least includes following one kind:Wildcard (PSK), username and password (Password), token (Token).
Wherein, generated when the pre-share information is and determines to need to instantiate the VNF by NFVO, and the VM that the VNF/VNFC examples are entered is injected via VIM, NFVI.
Or, the pre-share information is generated when determining to need to instantiate the VNF/VNFC by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
If it should be noted that pre-share information is generated by NFVO, the pre-share information of generation is sent into VNFM by NFVO;Or pre-share information is generated by VNFM, in order to which the initial communication between VNF/VNFC examples and VNFM completes certification so as to set up trusting relationship by the pre-share information.
It should be noted that so-called pre-share information, is pre-configured with to the two ends for needing to communicate, the two ends of communication are set up by pre-share information to communicate.The key included in pre-share information can be that the key that key that symmetric key, i.e. communicating pair are held is identical or unsymmetrical key, i.e. communicating pair are held is differed, for example, public and private key pair.
In order to ensure the legitimacy for applying for certificate, VNF/VNFC examples application certificate by the way of certificate request agency.
Now, the VNF/VNFC examples can utilize the checking information of determination and the certificate request information applications certificate for applying for certificate.
The VNF/VNFC examples send certificate request proxy message to control device, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message.
Step 102:The control device verified using the checking information to the VNF, and
When being verified, certificate request message is sent to CA.
Wherein, the certificate request information for being used for applying for certificate is included in the certificate request message.
Wherein, the certificate request message is signed by the control device using the corresponding private key of its certificate to the message.
In a step 102, if the certificate request proxy message that control device is received in step 101 is sent by VNFC examples, then control device is verified using the checking information to the VNFC examples.
The mode that the control device is verified using the checking information to the VNF/VNFC examples includes but is not limited to:
If the checking information is the temporary credentials described in the first situation in correspondence step 101, the control device is in the checking information included in receiving the certificate request proxy message, and control device is digitally signed checking to the certificate request message:
The certificate request proxy message signature received is decrypted using the public key in the temporary credentials received and obtains the first summary, and the second summary is obtained to the certificate request proxy message progress Hash calculation received, and whether relatively more described first summary is identical with the described second summary.
The control device is that first summary is identical with second summary in comparative result, and to the validation verification of temporary credentials that receives by when, it is determined that being verified to the VNF/VNFC examples;
The control device is that first summary is made a summary with described second and differed in comparative result, or to the validation verification of temporary credentials not by when, it is determined that the checking to the VNF/VNFC examples does not pass through.
If the checking information is the pre-share information described in second case in step 101, the control device is in the checking information included in receiving the certificate request proxy message, calculate obtaining the first the source language message using the pre-share information prestored and the checking information received, and the second the source language message obtained is compared.Wherein, the second the source language message can when receiving checking information with receive or prestore, do not limit here.
The VNFM is when the first the source language message is identical with the second the source language message, it is determined that being verified to the VNF/VNFC examples;When the first the source language message and the second the source language message are differed, really
The fixed checking to the VNF/VNFC examples does not pass through.
Assuming that the checking information is user name+password (Password) or token (Token) in step 101 described in second case when directly generating or calculate generation, the VNFM is in Password or Token included in receiving the certificate request proxy message, if including Password in the certificate request proxy message received, the Password signed and issued when determining with control device by the Password received and need and instantiate the VNF/VNFC examples is compared;If including Token in the certificate request proxy message received, the Token signed and issued when determining with control device by the Token received and need and instantiate the VNF/VNFC examples is compared.
The VNFM is it is determined that the Password that is signed and issued when determining and needing and instantiate the VNF examples of the Password received and control device is identical or during association, it is determined that being verified to the VNF examples;When it is determined that the Password that the Password received is signed and issued when determining with control device and need and instantiate the VNF examples is differed or do not associated, it is determined that the checking to the VNF examples does not pass through.
The VNFM is it is determined that the Token that is signed and issued when determining and needing and instantiate the VNF examples of the Token received and control device is identical or during association, it is determined that being verified to the VNF examples;When it is determined that the Token that the Token received is signed and issued when determining with control device and need and instantiate the VNF examples is differed or do not associated, it is determined that the checking to the VNF examples does not pass through.
Wherein, described pre-share information has a variety of authentication mechanisms, such as directly transmits, and either does the challenge for sending or being sent using control extension equipment after cryptographic calculation or the mechanism transmission of random number, here is omitted.
Described challenge or random number are transmitted directly to VNF/VNFC examples before VNF/VNFC examples send certificate request proxy message to control device, by control device, or inject the VM that VNF/VNFC examples are entered by VIM-NFVI path.
Step 103:The control device receives the certificate that the CA is signed and issued, and the certificate is sent into the VNF/VNFC examples.
Wherein, the certificate is that the CA is generated according to the certificate request information for applying for certificate included in the certificate request message.
Wherein, disappearing for the certificate of VNF/VNFC examples is signed and issued in the carrying that the control device is sent to CA
Breath is carried out after good authentication, is successfully received the certificate that the CA is signed and issued.
Alternatively, in step 103, the control device is when being properly received the certificate that the CA is signed and issued, it is determined that checking information (the temporary credentials or pre-share information) failure used in a step 101, also imply that, checking information no longer controlled device will trust after the certificate that the CA is signed and issued is received.
Further alternatively, the control device is after step 103, after the confirmation message for receiving the transmission of VNF/VNFC examples, it is determined that checking information (the temporary credentials or pre-share information) failure used in a step 101.
Further alternatively, VNF/VNFC examples are verified when receiving the certificate of control device transmission using checking information to control device, and when being verified, confirmation message is sent to control device.
In embodiments of the present invention, methods described also includes:
The control device by the certificate when being sent to the VNF/VNFC examples, the management passage set up using the certificate between the VNF/VNFC examples.
It should be noted that in embodiments of the present invention, the trusting relationship between VNF/VNFC examples and control device is set up by checking information, mainly the checking information included in certificate solicitation message is verified by control device.Alternatively, the checking of checking information can also be performed by CA, i.e., in the step 102 of the embodiment of the present invention, and the control device is when receiving certificate request message, certificate request message is transmitted to CA, the checking information included in certificate solicitation message verified by CA.
Pass through the scheme of the embodiment of the present invention one, control device receives VNF/VNFC examples and sends certificate request proxy message, checking information and the certificate request information for applying for certificate are included in certificate request proxy message, checking information is used to set up agent application certificate passage between VNF/VNFC examples and control device;Control device is verified using checking information to VNF/VNFC examples, and when being verified, the certificate request information for being included in certificate request message, certificate request message and being used for applying for certificate is sent to CA;Control device receives the certificate that CA is signed and issued, and send the certificate to VNF/VNFC examples, so, the certificate that the VNF/VNFC examples of instantiation are signed and issued by the trust link application certificate verification center between control device and certificate verification center, the legitimacy of VNF/VNFC example application certificates is effectively ensured, it is ensured that it is logical that the certificate signed and issued between VNF/VNFC examples and control device by certificate verification center sets up management
The security in road.
Embodiment two:
As shown in Fig. 2 a kind of schematic flow sheet of the certificate acquisition method provided for the embodiment of the present invention two.In the embodiment of the present invention, VNFM/NFVO possesses the ability of grant a certificate.Methods described can be as described below.
Step 201:Control device receives the certificate request message that VNF/VNFC examples are sent.
Wherein, checking information and the certificate request information for applying for certificate are included in the certificate request message, the checking information is used to set up application certificate passage between the VNF/VNFC examples and the control device.
It should be noted that the one or more in the public private key pair of certificate request packet example containing VNF/VNFC generation in corresponding public key, and certificate format, domain name, certificate verification central information.
Control device mentioned here can be VNFM or NFVO, not limit here.
In step 201, in virtual network, after the completion of VNF/VNFC instantiations, in order to ensure the security that is communicated between VNF/VNFC examples and other network elements or Virtual NE is, it is necessary to be VNF/VNFC example application certificates.
Specifically, control device is when receiving instantiation VNF/VNFC instructions, it is determined that being subsequently used for setting up the checking information of agent application certificate passage between the VNF/VNFC examples and control device, and the checking information carrying of determination is sent to VIM in instantiation VNF/VNFC instructions, VNF/VNFC instructions will be instantiated by VIM and be sent to NFVI, request NFVI is the VNF/VNFC example allocation VM, completes VNF/VNFC instantiations.
NFVI is the VNF/VNFC example allocations VM and completed after VNF/VNFC instantiations, and the checking information for instantiating the determination carried in VNF/VNFC instructions is injected into the VM that the VNF/VNFC examples are entered.
It should be noted that checking information mentioned here can also be referred to as initial trust shape information.
Alternatively, the form of checking information includes but is not limited to following form:
The first situation:
The checking information is temporary credentials.
Wherein, apply when the temporary credentials determines to need to instantiate the VNF/VNFC examples by NFVO from the VNFM, and inject the VM's that the VNF/VNFC examples are entered via VIM, NFVI.
Or, the temporary credentials determines by VNFM and needs and instantiate the VNF/VNFC examples that when generates, and injects the VM's that the VNF/VNFC examples are entered via VIM, NFVI.
It should be noted that, NFVO determines the temporary credentials for applying obtaining from the VNFM when needing to instantiate the VNF/VNFC, or VNFM determines to generate temporary credentials by particular form when needing to instantiate the VNF/VNFC, and be only capable of being trusted by VNFM by the temporary credentials that VNFM is generated, other network elements in virtual network can not trust the temporary credentials.
For example:VNFM by particular form (for example:Use the public key signature that specific private key is VNF/VNFC examples) temporary credentials is obtained, and temporary credentials is only capable of being trusted by VNFM, other network elements distrust the temporary credentials.
Alternatively, apply when the temporary credentials determines to need to instantiate the VNF/VNFC by NFVO from CA, and the VM that the VNF/VNFC is entered is injected via VIM, NFVI;
Or, apply when the temporary credentials determines to need to instantiate the VNF/VNFC by VNFM from CA, and the VM that the VNF/VNFC is entered is injected via VIM, NFVI.
NFVO/VNFM applies for that the premise of temporary credentials is from CA when determining to need to instantiate the VNF/VNFC examples:
CA by particular form (for example:Use the public key signature that specific private key is VNF/VNFC examples) temporary credentials is obtained, and temporary credentials is only capable of being trusted by CA, other network elements distrust the temporary credentials.
Between NFVO/VNFM, VIM and NFVI when transmitting temporary credentials, private key corresponding with temporary credentials can also be transmitted, but private key is transmitted between multiple network elements, there is security risk, therefore, need to ensure the communication security between NFVO/VNFM, VIM and NFVI in the present embodiment, to ensure that the private key for being used to apply certificate is not compromised.Temporary credentials is only capable of, using once, to prevent from occurring during being used for multiple times the risk that temporary credentials is obtained by malice network element, being further ensured that the security communicated between the network element of each in virtual network in the present embodiment simultaneously.
Second case:
The checking information is pre-share information.
Wherein, the pre-share information at least includes following one kind:Wildcard (PSK), username and password (Password), token (Token).
Wherein, generated when the pre-share information is and determines to need to instantiate the VNF by NFVO, and the VM that the VNF/VNFC examples are entered is injected via VIM, NFVI.
Or, the pre-share information is generated when determining to need to instantiate the VNF/VNFC by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
If it should be noted that pre-share information is generated by NFVO, the pre-share information of generation is sent into VNFM by NFVO;Or pre-share information is generated by VNFM, in order to which the initial communication between VNF/VNFC examples and VNFM completes certification so as to set up trusting relationship by the pre-share information.
It should be noted that so-called pre-share information, is pre-configured with to the two ends for needing to communicate, the two ends of communication are set up by pre-share information to communicate.The key included in pre-share information can be that the key that key that symmetric key, i.e. communicating pair are held is identical or unsymmetrical key, i.e. communicating pair are held is differed, for example, public and private key pair.
In order to ensure the legitimacy for applying for certificate, the VNF/VNFC examples can utilize the checking information of determination and the certificate request information applications certificate for applying for certificate.
The VNF/VNFC examples send certificate request message to control device.
Wherein, checking information and the certificate request information for applying for certificate are included in the certificate request message.
Step 202:The control device is verified using the checking information to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
In step 202., the mode that the control device is verified using the checking information to the VNF/VNFC examples is identical with the verification mode in step 102 in embodiment one, repeats no more here.
In step 202., the control device by the certificate when being successfully sent to the VNF/VNFC examples, determine checking information (the temporary credentials or pre-share information) failure used in verification process, also imply that, checking information no longer will be believed controlled device after the certificate to be sent to the VNF
Appoint.
It is further preferred that the control device is after step 202, when receiving the confirmation message that VNF/VNFC examples are sended over, it is determined that the checking information failure used in step 201.
In embodiments of the present invention, methods described also includes:
The control device by the certificate when being sent to the VNF/VNFC examples, the management passage set up using the certificate between the VNF/VNFC examples.
Embodiment three:
As shown in figure 3, a kind of schematic flow sheet of the certificate acquisition method provided for the embodiment of the present invention three.Methods described can be as described below.
The premise that the embodiment of the present invention three is implemented is that NFVO/VNFM, VIM and NFVI cooperate with each other, and generates VM, and the startup optimization VNF examples on VM.
It should be noted that safe trusting relationship is set up between NFVI and VIM, because VM is controlled by NFVI, you can set up safe trusting relationship between identification VIM and VM.
The mode that safe trusting relationship is set up between NFVI and VIM is described in detail by subsequent embodiment five, is not described here.
Step 301:VNFM receives VIM and sends certificate request proxy message.
Wherein, the VNF comprising request application certificate in the certificate request proxy message is identified and is identified the certificate request information that corresponding VNF applies for certificate for the VNF;
Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate.
It should be noted that certificate request information is comprised at least:One or more in the public private key pair of VNF/VNFC examples generation in corresponding public key, and certificate format, domain name, certificate verification central information.
In step 301, in virtual network, after the instantiation for completing VNF/VNFC examples, in order to ensure the securities that are communicated between other network elements or Virtual NE of instantiation VNF/VNFC are, it is necessary to be the VNF/VNFC example application certificates of instantiation.
Specifically, instantiation VNF/VNFC instructions are sent to VIM by NFVO/VNFM when receiving instantiation VNF/VNFC instructions, and will instantiate VNF/VNFC instructions by VIM is sent to NFVI,
Request NFVI is the VNF/VNFC example allocation VM, completes VNF/VNFC instantiations.
Wherein, instantiation VNF/VNFC initiation parameter is included in the instantiation VNF instructions.
NFVI is the VNF/VNFC example allocation VM, and when completing VNF/VNFC instantiations, the initiation parameter for instantiating the VNF examples included in VNF instructions is injected into the VM that the VNF/VNFC examples are entered.
In order to ensure the legitimacy for applying for certificate, VNF/VNFC examples application certificate by the way of certificate request agency.
Now, the VNF/VNFC examples obtain certificate request information according to initiation parameter.
One kind in CA information, the domain name in certificate management domain is comprised at least in the initiation parameter.
Meanwhile, the VNF/VNFC examples indicate generation public and private key pair according to initiation parameter.
Wherein, private key is stored in the VNF/VNFC examples locally, and public key carries the VM that VNF/VNFC examples operation is sent in certificate request information.
It should be noted that because the VNF/VNFC examples are operated on VM, assert and setting up safe trust link between the VNF/VNFC examples and VM.
Due to setting up safe trusting relationship between VM and VIM, VM sends certificate request proxy message by the escape way between the VIM when receiving the certificate request message of VNF/VNFC examples transmission to the VIM.
Wherein, the certificate request information for being used for applying for certificate is included in the certificate request proxy message.
The certificate request proxy message is transmitted to VNFM by the VIM when receiving certificate request proxy message, and by VNFM as certificate request succedaneum, certificate is applied for CA.
It should be noted that VNFM sets up credible and secure transmission channel with CA in advance.
Step 302:The VNFM sends certificate request message to CA.
Wherein, the certificate request information for being used for applying for certificate is included in the certificate request information.
Step 303:The VNFM receives the certificate that the CA is signed and issued, and the certificate is sent into the VIM.
Wherein, the certificate is that the CA is generated according to the certificate request information for applying for certificate included in the certificate request message.
In step 303, the VNFM receives the certificate that the CA is signed and issued, and the certificate is sent into the VIM, the certificate is sent into NFVI using the transmission channel between NFVI by the VIM, then be injected into VNF/VNFC examples via VM.
VNF/VNFC examples receive the certificate, and the management passage set up using the certificate between VNFM.
Signed and issued it should be noted that the premise that the step 302 of the embodiment of the present invention is performed to step 303 is certificate by CA, if certificate is signed and issued by VNFM, then step 302 can also be:The VNFM, according to the certificate request information for being used to apply for certificate received, is the VNF/VNFC examples grant a certificate;Step 303:The certificate is sent to the VIM by the VNFM.
Pass through the scheme of the embodiment of the present invention three, certificate request proxy information is sent to VNFM by the VNF/VNFC of instantiation using the credible and secure transmission channel between NFVI and VIM, the certificate signed and issued again by the trust link application certificate verification center between VNFM and certificate verification center, the legitimacy that VNF applies for certificate is effectively ensured, the security for the management passage set up between VNF/VNFC examples and VNFM is further ensured that.
Example IV:
As shown in figure 4, a kind of schematic flow sheet of the certificate acquisition method provided for the embodiment of the present invention four.Methods described can be as described below.
The premise of the embodiment of the embodiment of the present invention four is NFVO or VNFM it is determined that during instantiation VNF examples, applying for a temporary credentials from CA at, the temporary credentials is for VNF/VNFC example application legal certificates.
It should be noted that NFVO/VNFM sets up believable transmission channel in instantiation VNF/VNFC example procedures between NFVO/VNFM, VIM, NFVI so that instantiation VNF process will not be attacked, and the corresponding private key of temporary credentials of transmission will not be compromised.
Step 401:CA receives the certificate request message that VNF/VNFC examples are sent.
Wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials applies when determining to need to instantiate the VNF/VNFC examples by NFVO or VNFM from the CA, and is injected into via VIM, NFV infrastructure NFVI described
The VM of VNF/VNFC examples.
It should be noted that certificate request packet contains:One or more in the public private key pair of VNF/VNFC examples generation in corresponding public key, and certificate format, domain name, certificate verification central information.
In step 401, in virtual network, after the instantiation for completing VNF/VNFC examples, in order to ensure the security that is communicated between other network elements or Virtual NE of instantiation VNF/VNFC examples is, it is necessary to be the VNF/VNFC example application certificates of instantiation.
Specifically, instantiation VNF/VNFC instructions are sent to VIM by NFVO/VNFM when receiving instantiation VNF/VNFC instructions, and will instantiate VNF/VNFC instructions by VIM is sent to NFVI, request NFVI is the VNF/VNFC example allocation VM, completes VNF/VNFC instantiations.
Wherein, the initiation parameter of VNF/VNFC examples is included in the instantiation VNF examples instruction.
NFVI is the VNF/VNFC example allocations VM and when completing VNF/VNFC instantiations, and the initiation parameter for instantiating the VNF/VNFC examples included in the instruction of VNF examples is injected to the VM of the VNF/VNFC examples.
Now, the VNF/VNFC examples obtain certificate request information according to initiation parameter.
The initiation parameter includes CA information, the domain name in certificate management domain.Generate, and injected by NFVI to the VNF/VNFC example allocations VM and when completing the VNF/VNFC instantiations when being determined by NFVO and instantiated the VNF/VNFC examples.
The VNF examples generate the public and private key pair for applying for certificate according to initiation parameter.
Wherein, to be stored in the VNF/VNFC examples local for private key.
Public key carries and certificate verification center CA is sent in certificate request information.
It should be noted that certificate verification center CA of the VNF/VNFC examples according to injection, the CA is sent to by temporary credentials and for applying for that the certificate request information of certificate is carried in certificate request message.
Step 402:The CA is authenticated using the temporary credentials to the VNF/VNFC examples, and certification by when, the certificate request information of certificate is applied for according to being used for of being included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
In step 402, the CA is when receiving certificate request message, in certificate of utility solicitation message
Comprising temporary credentials VNF/VNFC examples are authenticated, and certification by when, the certificate request information of certificate is applied for according to being used for of being included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
In embodiments of the present invention, methods described also includes:
The VNF is obtained after certificate, the management passage set up using the certificate between VNFM.
Pass through the scheme of the embodiment of the present invention four, the temporary credentials that the VNF of instantiation determines to apply during instantiation VNF examples using NFVO/VNFM, the trusted channel of application certificate is established between CA, the legitimacy that VNF applies for certificate is effectively ensured, the security for the management passage that the certificate that certificate of utility authentication center signs and issues between VNF and VNFM is set up is further ensured that.
Embodiment five:
As shown in figure 5, a kind of schematic flow sheet of the certificate acquisition method provided for the embodiment of the present invention five.Methods described can be as described below.
The embodiment of the present invention five specifically describes the method that management passage is set up between VM and VMM or VIM.
Step 501:NFVI receives the certificate request message that VM is sent.
Wherein, the certificate request information for being used for applying for certificate is included in the certificate request message.
It should be noted that certificate request packet contains:One or more in the public private key pair of VM generations in corresponding public key, and certificate format, domain name, certificate verification central information.
In step 501, in virtual network, after the instantiation for completing VNF/VNFC, in order to ensure the security that is communicated between other network elements or Virtual NE of instantiation VNF/VNFC examples is, it is necessary to be the VNF/VNFC example application certificates of instantiation.
Because the VM that VFN/VNFC examples are run is distributed when needing instantiation VNF/VNFC, therefore, it is necessary to the management passage set up between VM and VMM after distribution VM, this ensure that VM legitimacy, and then cause the legitimacy enhancing of VNF examples.
Specifically, NFVO will be sent to VIM when receiving instantiation VNF example instructions in instantiation VNF/VNFC instructions, and will instantiate VNF/VNFC instructions by VIM is sent to NFVI, and request NFVI is the VNF/VNFC example allocation VM, completes VNF/VNFC instantiation.
NFVI is VNF/VNFC example allocations VM according to instantiation VNF/VNFC instructions.
Wherein, VIM sends initiation parameter comprising certificate request etc. in request distribution virtual resource information, the request distribution virtual resource information to NFVI.
NFVI instructs that after VNF/VNFC example allocations VM, the initiation parameter of certificate request is injected into VM according to instantiation VNF/VNFC.
When VM starts, generation public and private key pair is indicated according to initiation parameter.
The initiation parameter includes CA information, the domain name in certificate management domain, is obtained by VIM when receiving the generation VM of NFVO transmissions.
Wherein, private key is stored in VM locally, and public key is used to apply for certificate, carries in certificate request information.
Now, VM sends certificate request message to NFVI.
Step 502:The NFVI sends certificate request proxy message to CA.
Wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message.
In step 502, the NFVI includes but is not limited to the CA modes for sending certificate request proxy message:
First way:
Believable transmission channel is pre-established between the NFVI and CA, now, the NFVI directly sends certificate request proxy message to CA.
The second way:
Believable transmission channel is pre-established between the VIM and CA.
The NFVI sends certificate request proxy message to VIM, and the certificate request proxy message is forwarded into CA by the VIM.
As shown in fig. 6, being a kind of schematic flow sheet of certificate acquisition method.
Specifically, the NFVI is receiving VM transmission certificate request message, and Generated Certificate application proxy message, and the certificate request proxy message is sent into VIM, and the certificate request proxy message is forwarded into CA by the VIM.
Step 503:The NFVI receives the certificate that the CA is signed and issued, and the certificate is sent into the VM.
Wherein, the certificate by the CA according in the certificate request proxy message comprising the VM be used for apply certificate certificate request information generate.
In step 503, methods described also includes:
After the VM receives the certificate, the management passage set up between the management equipment (VIM) for setting up the VM and VM.
Pass through the scheme of the embodiment of the present invention five, VM passes through certificate request agent way application to legal certificate, and set up the believable transmission channel between VMM or VIM, make place mat to ensure that certificate of utility authentication center signs and issues between VNF/VNFC examples and VNFM certificate sets up believable management passage, effectively improve the security of management passage between VNF/VNFC examples and VNFM.
Embodiment six:
As shown in fig. 7, a kind of structural representation of the certificate acquisition equipment provided for the embodiment of the present invention six, the certificate acquisition equipment includes:Receiving module 71 and sending module 72, wherein:
Receiving module 71, certificate request proxy message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is used to set up agent application certificate passage between the VNF/VNFC examples and control device;
Sending module 72, the checking information for being received using the receiving module 71 is verified to the VNF/VNFC examples, and when being verified, certificate request message is sent to CA, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
The receiving module 71, is additionally operable to receive the certificate that the CA is signed and issued;
The sending module 72, is additionally operable to the certificate that the receiving module 61 is received being sent to the VNF/VNFC examples, wherein, the certificate is that the certificate request information that the CA is used to apply certificate according to being included in the certificate request message is generated.
Alternatively, when the checking information is temporary credentials, temporary credentials application from VNFM when it is determined that needing to instantiate the VNF/VNFC examples by NFVO, and injected via VIM, NFVI
The VM that the VNF/VNFC examples are entered;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
Alternatively, when the checking information is pre-share information, the pre-share information is generated when being determined by NFVO and needed and instantiate the VNF/VNFC examples, or is applied from VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
Wherein, the pre-share information at least includes following one kind:
PSK、Password、token。
Alternatively, the control device is VNFM.
Alternatively, when the control device is NFVO, the receiving module, specifically for receiving the certificate request proxy message that VNFM is sent, wherein, the certificate request proxy message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
Alternatively, the certificate acquisition equipment also includes:Path setup module 73, wherein:
Path setup module 73, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
Alternatively, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
It should be noted that, equipment described in the embodiment of the present invention can be the logical block being integrated in virtual system in VNFM or NFVO, possess for the function of VNF/VNFC Examples Proxy application certificates, implementation can be realized by hardware, it can also be realized, do not limited here by software mode.
Embodiment seven:
As shown in figure 8, a kind of structural representation of the certificate acquisition equipment provided for the embodiment of the present invention seven.The certificate acquisition equipment includes:Receiving module 81 and sending module 82, wherein:
Receiving module 81, the certificate request message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate, the checking are included in the certificate request message
Information is used for described set up between VNF/VNFC examples and control device and applies for certificate passage;
Sending module 82, for being verified using the checking information received to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
Alternatively, when the checking information is temporary credentials, temporary credentials application from VNFM when it is determined that needing to instantiate the VNF/VNFC examples by NFVO, and inject the VM that the VNF/VNFC examples are entered via VIM, NFVI;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
Alternatively, when the checking information is pre-share information, the pre-share information is generated when being determined by NFVO and needed and instantiate the VNF/VNFC examples, or is applied from VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
Alternatively, the pre-share information at least includes following one kind:
PSK、Password、token。
Alternatively, the control device is VNFM.
Alternatively, when the control device is NFVO, the receiving module, specifically for receiving the certificate request message that VNFM is sent, wherein, the certificate request message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
Alternatively, the certificate acquisition equipment, in addition to:Path setup module 83, wherein:
Path setup module 83, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
Alternatively, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
It should be noted that the equipment described in the embodiment of the present invention can be the logical block being integrated in virtual system in VNFM or NFVO, possess for the work(of VNF/VNFC Examples Proxy application certificates
Can, implementation can be realized by hardware, can also be realized, do not limited here by software mode.
Embodiment eight:
As shown in figure 9, a kind of structural representation of the certificate acquisition equipment provided for the embodiment of the present invention eight, the certificate acquisition equipment includes:Receiving module 91 and sending module 92, wherein:
Receiving module 91, certificate request proxy message is sent for receiving VIM, wherein, the VNF comprising request application certificate in the certificate request proxy message is identified and is identified the certificate request information that corresponding VNF applies for certificate for the VNF;Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate;
Sending module 92, for sending certificate request message to CA, wherein, the certificate request information VNF/VNFC examples for applying for certificate is included in the certificate request message;
The receiving module 91, is additionally operable to receive the certificate that the CA is signed and issued;
The sending module 92, is additionally operable to the certificate being sent to the VIM, wherein, the certificate is that the CA is used to apply for that the certificate request information of certificate is generated according to the VNF/VNFC examples included in the certificate request information.
Alternatively, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the VM is sent to by the VNF/VNFC examples, then by the escape way between the VIM it is sent to the VIM's by the VM.
Alternatively, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the NFV infrastructure NFVI is sent to by the VNF/VNFC examples, then it is sent to the VIM's by the escape way between the NFVI and the VIM.
Alternatively, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained when being determined by virtualization network arrangements device NFVO or VNFM and instantiated the VNF/VNFC examples.
Alternatively, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
It should be noted that, equipment described in the embodiment of the present invention can be the logical block being integrated in virtual system in VNFM or NFVO, possess for the function of VNF/VNFC Examples Proxy application certificates, implementation can be realized by hardware, it can also be realized, do not limited here by software mode.
Embodiment nine:
As shown in Figure 10, it is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention nine is provided, the certificate acquisition equipment includes:Receiving module 1001 and module 1002 is signed and issued, wherein:
Receiving module 1001, certificate request message for receiving the transmission of VNF/VNFC examples, wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials is applied when determining to need to instantiate the VNF/VNFC examples by NFVO/VNFM from the CA, or the NFVO determines what is applied when needing to instantiate the VNF/VNFC examples from the VNFM, and the VM that the VNF/VNFC examples are entered is injected via VIM, NFVI;
Sign and issue module 1002, the temporary credentials for being received using the receiving module 1001 is authenticated to the VNF/VNFC examples, and certification by when, according to the certificate request information for being used to apply for certificate included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
It should be noted that the equipment described in the embodiment of the present invention can be certificate verification center, in addition to CA, other other equipments for possessing certificate verification function are can also be, are not limited here, implementation can be realized by hardware, it can also be realized, do not limited here by software mode.
Embodiment ten:
As shown in figure 11, it is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention ten is provided, the certificate acquisition equipment includes:Receiving module 1101 and sending module 1102, wherein:
Receiving module 1101, the certificate request message for receiving VM transmissions, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
Sending module 1102, for sending certificate request proxy message to CA, wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message;
The receiving module 1101, for receiving the certificate that the CA is signed and issued;
The sending module 1102, for the certificate to be sent into the VM, wherein, the certificate is by the CA according to the certificate for being used to apply for certificate comprising the VM in the certificate request proxy message
What application information was obtained.
Alternatively, the sending module 1102, specifically for sending certificate request proxy message to VIM, and is forwarded to the CA by the VIM by the certificate request proxy message.
Alternatively, the certificate acquisition equipment also includes:Path setup module 1103, wherein:
Path setup module 1103, for when the VM receives the certificate, the management passage set up between the VM and the VM management equipment.
Alternatively, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Alternatively, the public key is generated by the VM according to initiation parameter, wherein, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained by VIM when receiving the generation VM of virtualization network arrangements device NFVO transmissions.
It should be noted that the equipment described in the embodiment of the present invention can be integrated in the logical block in NFVI, possess for the function of VM agent application certificates, implementation can be realized by hardware, can also be realized, do not limited here by software mode.
Embodiment 11:
As shown in figure 12, it is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 11 is provided, the certificate acquisition equipment includes:Signal receiver 1201 and signal projector 1202, wherein:Signal receiver 1201 and signal projector 1202 are communicated by communication bus 1203.
Signal receiver 1201, certificate request proxy message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is used to set up agent application certificate passage between the VNF/VNFC examples and control device;
Signal projector 1202, for being verified using the checking information to the VNF/VNFC examples, and when being verified, certificate request message is sent to certificate verification center CA, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
The signal receiver 1201, is additionally operable to receive the certificate that the CA is signed and issued;
The signal projector 1202, is additionally operable to the certificate being sent to the VNF/VNFC examples,
Wherein, the certificate is that the certificate request information that the CA is used to apply certificate according to being included in the certificate request message is generated.
Alternatively, when the checking information is temporary credentials, temporary credentials application from VNFM when it is determined that needing to instantiate the VNF/VNFC examples by NFVO, and inject the VM that the VNF/VNFC examples are entered via VIM, NFVI;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
Alternatively, when the checking information is pre-share information, the pre-share information is generated when being determined by NFVO and needed and instantiate the VNF/VNFC examples, or is applied from VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
Wherein, the pre-share information at least includes following one kind:
PSK、Password、token。
Alternatively, the control device is VNFM.
Alternatively, when the control device is NFVO, the signal receiver, specifically for receiving the certificate request proxy message that VNFM is sent, wherein, the certificate request proxy message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
Alternatively, the certificate acquisition equipment also includes:Processor 1204, wherein:
The processor 1204, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
Alternatively, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Processor 1204 can be a general central processor (CPU), microprocessor, ASIC (application-specific integrated circuit, ASIC), or one or more integrated circuits for being used to control the present invention program program to perform.
The communication bus 1203 may include a path, and information is transmitted between said modules.
It should be noted that, certificate acquisition equipment described in the embodiment of the present invention can be integrated in the logical block in VNFM/NFVO, possess for the function of VNF/VNFC Examples Proxy application certificates, and implementation can be realized by hardware, it can also be realized, do not limited here by software mode.
Embodiment 12:
As shown in figure 13, it is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 12 is provided.The certificate acquisition equipment includes:Signal receiver 1301 and signal projector 1302, wherein:
Signal receiver 1301, certificate request message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request message, the checking information is used for described set up between VNF/VNFC examples and control device and applies for certificate passage;
Signal projector 1302, for being verified using the checking information received to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
Alternatively, when the checking information is temporary credentials, temporary credentials application from VNFM when it is determined that needing to instantiate the VNF/VNFC examples by NFVO, and inject the VM that the VNF/VNFC examples are entered via VIM, NFVI;
Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
Alternatively, when the checking information is pre-share information, the pre-share information is generated when being determined by NFVO and needed and instantiate the VNF/VNFC examples, or is applied from VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI;
Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
Wherein, the pre-share information at least includes following one kind:
PSK、Password、token。
Alternatively, the control device is VNFM.
Alternatively, when the control device is NFVO, the signal receiver 1301, specifically for receiving the certificate request message that VNFM is sent, wherein, the certificate request message is real by VNF/VNFC
Example is sent, and is obtained through VNFM forwardings.
Alternatively, the certificate acquisition equipment also includes:Processor 1303, wherein:
The processor 1303, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
Alternatively, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Processor 1303 can be a general central processor (CPU), microprocessor, ASIC (application-specific integrated circuit, ASIC), or one or more integrated circuits for being used to control the present invention program program to perform.
It should be noted that, certificate acquisition equipment described in the embodiment of the present invention can be integrated in the logical block in VNFM/NFVO, possess for the function of VNF/VNFC Examples Proxy application certificates, and implementation can be realized by hardware, it can also be realized, do not limited here by software mode.
Embodiment 13:
As shown in figure 14, it is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 13 is provided, the certificate acquisition equipment includes:Signal receiver 1401 and signal projector 1402, wherein, the signal receiver 1401 and signal projector 1402 are connected by communication bus 1403.
Signal receiver 1401, certificate request proxy message is sent for receiving VIM, wherein, the VNF comprising request application certificate in the certificate request proxy message is identified and is identified the certificate request information that corresponding VNF applies for certificate for the VNF;Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate;
Signal projector 1402, for sending certificate request message to CA, wherein, the certificate request information VNF/VNFC examples for applying for certificate is included in the certificate request message;
The signal receiver 1401, is additionally operable to receive the certificate that the CA is signed and issued;
The signal projector 1402, is additionally operable to the certificate being sent to the VIM, wherein, the certificate is that the CA is used to apply for that the certificate request information of certificate is generated according to the VNF/VNFC examples included in the certificate request information.
Alternatively, the certificate request proxy message is to be believed by the VIM according to the certificate request received
Breath generation, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and is sent to the VM by the VNF/VNFC examples, then by the escape way between the VIM is sent to the VIM's by the VM.
Alternatively, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the NFV infrastructure NFVI is sent to by the VNF/VNFC examples, then it is sent to the VIM's by the escape way between the NFVI and the VIM.
Alternatively, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained when being determined by NFVO or VNFM and instantiated the VNF/VNFC examples.
Alternatively, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
It should be noted that, certificate acquisition equipment described in the embodiment of the present invention can be integrated in VNFM/NFVO, possess for the function of VNF/VNFC Examples Proxy application certificates, and implementation can be realized by hardware, it can also be realized, do not limited here by software mode.
Embodiment 14:
As shown in figure 15, it is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 14 is provided, the certificate acquisition equipment includes:Signal receiver 1501 and processor 1502, wherein, the signal receiver 1501 and processor 1502 are connected by communication bus 1503.
Signal receiver 1501, certificate request message for receiving the transmission of VNF/VNFC examples, wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials is applied when determining to need to instantiate the VNF/VNFC examples by NFVO/VNFM from the CA, or the NFVO determines what is applied when needing to instantiate the VNF/VNFC examples from the VNFM, and the VM that the VNF/VNFC examples are entered is injected via VIM, NFVI;
Processor 1502, for being authenticated using the temporary credentials to the VNF/VNFC examples, and certification by when, the certificate request information of certificate is applied for according to being used for of being included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
Processor 1502 can be a general central processor (CPU), microprocessor, application-specific
Integrated circuit (application-specific integrated circuit, ASIC), or one or more integrated circuits for being used to control the present invention program program to perform.
The communication bus 1503 may include a path, and information is transmitted between said modules.
It should be noted that the equipment described in the embodiment of the present invention can be certificate verification center, in addition to CA, other other equipments for possessing certificate verification function are can also be, are not limited here, implementation can be realized by hardware, it can also be realized, do not limited here by software mode.
Embodiment 15:
As shown in figure 16, it is a kind of structural representation for certificate acquisition equipment that the embodiment of the present invention 15 is provided, the equipment includes:Signal receiver 1601 and signal projector 1602, wherein, the signal receiver 1601 and signal projector 1602 are connected by communication bus 1603.
Signal receiver 1601, the certificate request message for receiving VM transmissions, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;
Signal projector 1602, for sending certificate request proxy message to CA, wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message;
The signal receiver 1601, is additionally operable to receive the certificate that the CA is signed and issued;
The signal projector 1602, is additionally operable to the certificate being sent to the VM, wherein, the certificate is by the CA according to being used to apply for that the certificate request information of certificate is obtained comprising the VM in the certificate request proxy message.
Specifically, the signal projector 1602, specifically for sending certificate request proxy message to VIM, and is forwarded to the CA by the VIM by the certificate request proxy message.
Alternatively, the certificate acquisition equipment also includes:Processor 1604, wherein:
Processor 1604, for when the VM receives the certificate, the management passage set up between the VM and the VM management equipment.
Alternatively, the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Alternatively, the public key is generated by the VM according to initiation parameter, wherein, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is receiving void by VIM
Obtained during the generation VM that planization functional network composer NFVO is sent.
Processor 1604 can be a general central processor (CPU), microprocessor, ASIC (application-specific integrated circuit, ASIC), or one or more integrated circuits for being used to control the present invention program program to perform.
The communication bus 1603 may include a path, and information is transmitted between said modules.
It should be noted that the equipment described in the embodiment of the present invention can be integrated in the logical block in NFVI, possess for the function of VM agent application certificates, implementation can be realized by hardware, can also be realized, do not limited here by software mode.
It will be understood by those skilled in the art that embodiments of the invention can be provided as method, device (equipment) or computer program product.Therefore, the form of the embodiment in terms of the present invention can use complete hardware embodiment, complete software embodiment or combine software and hardware.Moreover, the present invention can use the form for the computer program product implemented in one or more computer-usable storage mediums (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.) for wherein including computer usable program code.
The present invention is flow chart and/or block diagram with reference to method according to embodiments of the present invention, device (equipment) and computer program product to describe.It should be understood that can by the flow in each flow and/or square frame and flow chart and/or block diagram in computer program instructions implementation process figure and/or block diagram and/or square frame combination.These computer program instructions can be provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices to produce a machine so that produce the device for being used for realizing the function of specifying in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames by the instruction of the computing device of computer or other programmable data processing devices.
These computer program instructions may be alternatively stored in the computer-readable memory that computer or other programmable data processing devices can be guided to work in a specific way, so that the instruction being stored in the computer-readable memory, which is produced, includes the manufacture of command device, the command device realizes the function of being specified in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices, so that series of operation steps is performed on computer or other programmable devices to produce computer implemented processing, so that the instruction performed on computer or other programmable devices is provided for realizing in flow chart
The step of function of being specified in one flow or multiple flows and/or one square frame of block diagram or multiple square frames.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creative concept, then other change and modification can be made to these embodiments.So, appended claims are intended to be construed to include preferred embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification to the present invention without departing from the spirit and scope of the present invention.So, if these modifications and variations of the present invention belong within the scope of the claims in the present invention and its equivalent technologies, then the present invention is also intended to comprising including these changes and modification.
Claims (81)
- A kind of certificate acquisition equipment, it is characterised in that including:Receiving module, certificate request proxy message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is used to set up agent application certificate passage between the VNF/VNFC examples and control device;Sending module, for being verified using the checking information to the VNF/VNFC examples, and when being verified, certificate request message is sent to certificate verification center CA, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;The receiving module, is additionally operable to receive the certificate that the CA is signed and issued;The sending module, is additionally operable to the certificate being sent to the VNF/VNFC examples, wherein, the certificate is that the certificate request information that the CA is used to apply certificate according to being included in the certificate request message is generated.
- Certificate acquisition equipment as claimed in claim 1, it is characterized in that, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition equipment as claimed in claim 1, it is characterized in that, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, And inject the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition equipment as claimed in claim 3, it is characterised in that the pre-share information at least includes following one kind:Wildcard PSK, username and password Password, token token.
- Certificate acquisition equipment as described in any one of Claims 1-4, it is characterised in thatThe control device is virtualization network function management equipment VNFM.
- Certificate acquisition equipment as described in any one of Claims 1-4, it is characterized in that, when the control device is virtualization network arrangements device NFVO, the receiving module, specifically for receiving the certificate request proxy message that virtualization network function management equipment VNFM is sent, wherein, the certificate request proxy message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
- Certificate acquisition equipment as described in claim 1 to 6 is any, it is characterised in that the certificate acquisition equipment also includes:Path setup module, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
- Certificate acquisition equipment as described in claim 1 to 7 is any, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- A kind of certificate acquisition equipment, it is characterised in that including:Receiving module, Virtual base facility VIM transmission certificate request proxy messages are managed in VNF frameworks for receiving, wherein, the VNF comprising request application certificate in the certificate request proxy message is identified and is identified the certificate request information that corresponding VNF applies for certificate for the VNF;Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate;Sending module, for sending certificate request message to certificate verification center CA, wherein, the certificate request information VNF/VNFC examples for applying for certificate is included in the certificate request message;The receiving module, is additionally operable to receive the certificate that the CA is signed and issued;The sending module, is additionally operable to the certificate being sent to the VIM, wherein, the certificate is The certificate request information generation that the CA is used to apply for certificate according to the VNF/VNFC examples included in the certificate request information.
- Certificate acquisition equipment as claimed in claim 9, it is characterized in that, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the VM is sent to by the VNF/VNFC examples, then by the escape way between the VIM it is sent to the VIM's by the VM.
- Certificate acquisition equipment as claimed in claim 9, it is characterized in that, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the NFV infrastructure NFVI is sent to by the VNF/VNFC examples, then it is sent to the VIM's by the escape way between the NFVI and the VIM.
- Certificate acquisition equipment as described in any one of claim 9 to 11, it is characterized in that, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained when being determined by virtualization network arrangements device NFVO or VNFM and instantiated the VNF/VNFC examples.
- Certificate acquisition equipment as described in any one of claim 9 to 12, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- A kind of certificate acquisition equipment, it is characterised in that including:Receiving module, for receiving the certificate request message that virtualization network function VNF/VNFC examples are sent, wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials is applied when determining to need to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO/ virtualizations network function management equipment VNFM from the CA, or the NFVO determines what is applied when needing to instantiate the VNF/VNFC examples from the VNFM, and via management Virtual base facility VIM in VNF frameworks, NFV infrastructure NFVI injects the virtual machine VM that the VNF/VNFC examples are entered;Module is signed and issued, for being authenticated using the temporary credentials to the VNF/VNFC examples, and Certification by when, the certificate request information of certificate is applied for according to being used for of being included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
- A kind of certificate acquisition equipment, it is characterised in that including:Receiving module, the certificate request message for receiving virtual machine VM transmissions, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;Sending module, for sending certificate request proxy message to certificate verification center CA, wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message;The receiving module, for receiving the certificate that the CA is signed and issued;The sending module, for the certificate to be sent into the VM, wherein, the certificate is by the CA according to being used to apply for that the certificate request information of certificate is obtained comprising the VM in the certificate request proxy message.
- Certificate acquisition equipment as claimed in claim 15, it is characterised in thatThe sending module, sends certificate request proxy message, and the certificate request proxy message is forwarded into the CA by the VIM specifically for managing Virtual base facility VIM into virtual network function framework.
- Certificate acquisition equipment as described in claim 15 or 16, it is characterised in that the certificate acquisition equipment also includes:Path setup module, for when the VM receives the certificate, the management passage set up between the VM and the VM management equipment.
- Certificate acquisition equipment as described in claim 15 to 17 is any, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- Certificate acquisition equipment as claimed in claim 18, it is characterized in that, the public key is generated by the VM according to initiation parameter, wherein, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained by VIM when receiving the generation VM of virtualization network arrangements device NFVO transmissions.
- A kind of certificate acquisition equipment, it is characterised in that including:Receiving module, certificate request message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request message, the checking information is used for described set up between VNF/VNFC examples and control device and applies for certificate passage;Sending module, for being verified using the checking information received to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
- Certificate acquisition equipment as claimed in claim 20, it is characterized in that, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition equipment as claimed in claim 20, it is characterized in that, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition equipment as claimed in claim 22, it is characterised in that the pre-share information at least includes following one kind:Wildcard PSK, username and password Password, token token.
- Certificate acquisition equipment as described in any one of claim 20 to 23, it is characterised in that the control device is virtualization network function management equipment VNFM.
- Certificate acquisition equipment as described in any one of claim 20 to 23, it is characterised in that when the control device is virtualization network arrangements device NFVO, the receiving module, specifically for The certificate request message that virtualization network function management equipment VNFM is sent is received, wherein, the certificate request message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
- Certificate acquisition equipment as described in any one of claim 20 to 25, it is characterised in that the certificate acquisition equipment, in addition to:Path setup module, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
- Certificate acquisition equipment as described in any one of claim 20 to 26, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- A kind of certificate acquisition equipment, it is characterised in that including:Signal receiver, certificate request proxy message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is used to set up agent application certificate passage between the VNF/VNFC examples and control device;Signal projector, for being verified using the checking information to the VNF/VNFC examples, and when being verified, certificate request message is sent to certificate verification center CA, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;The signal receiver, is additionally operable to receive the certificate that the CA is signed and issued;The signal projector, is additionally operable to the certificate being sent to the VNF/VNFC examples, wherein, the certificate is that the certificate request information that the CA is used to apply certificate according to being included in the certificate request message is generated.
- Certificate acquisition equipment as claimed in claim 28, it is characterized in that, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the temporary credentials is determined to need to instantiate the VNF/VNFC examples by the VNFM Shi Shengcheng, and inject the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition equipment as claimed in claim 28, it is characterized in that, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition equipment as claimed in claim 30, it is characterised in that the pre-share information at least includes following one kind:Wildcard PSK, username and password Password, token token.
- Certificate acquisition equipment as described in any one of claim 28 to 31, it is characterised in that the control device is virtualization network function management equipment VNFM.
- Certificate acquisition equipment as described in any one of claim 28 to 31, it is characterized in that, when the control device is virtualization network arrangements device NFVO, the signal receiver, specifically for receiving the certificate request proxy message that virtualization network function management equipment VNFM is sent, wherein, the certificate request proxy message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
- Certificate acquisition equipment as described in any one of claim 28 to 33, it is characterised in that the certificate acquisition equipment also includes:Processor, wherein:The processor, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
- Certificate acquisition equipment as described in claim 28 to 34 is any, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- A kind of certificate acquisition equipment, it is characterised in that including:Signal receiver, Virtual base facility VIM transmission certificate request proxy messages are managed for receiving in VNF frameworks, wherein, the VNF marks of request application certificate are included in the certificate request proxy message The certificate request information that corresponding VNF applies for certificate is identified with for the VNF;Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate;Signal projector, for sending certificate request message to certificate verification center CA, wherein, the certificate request information VNF/VNFC examples for applying for certificate is included in the certificate request message;The signal receiver, is additionally operable to receive the certificate that the CA is signed and issued;The signal projector, is additionally operable to the certificate being sent to the VIM, wherein, the certificate is that the CA is used to apply for that the certificate request information of certificate is generated according to the VNF/VNFC examples included in the certificate request information.
- Certificate acquisition equipment as claimed in claim 36, it is characterized in that, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the VM is sent to by the VNF/VNFC examples, then by the escape way between the VIM it is sent to the VIM's by the VM.
- Certificate acquisition equipment as claimed in claim 36, it is characterized in that, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the NFV infrastructure NFVI is sent to by the VNF/VNFC examples, then it is sent to the VIM's by the escape way between the NFVI and the VIM.
- Certificate acquisition equipment as described in any one of claim 36 to 38, it is characterized in that, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained when being determined by virtualization network arrangements device NFVO or VNFM and instantiated the VNF/VNFC examples.
- Certificate acquisition equipment as described in any one of claim 36 to 39, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- A kind of certificate acquisition equipment, it is characterised in that including:Signal receiver, for receiving the certificate request that virtualization network function VNF/VNFC examples are sent Message, wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials is applied when determining to need to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO/ virtualizations network function management equipment VNFM from the CA, or the NFVO determines what is applied when needing to instantiate the VNF/VNFC examples from the VNFM, and the virtual machine VM that the VNF/VNFC examples are entered is injected via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Processor, for being authenticated using the temporary credentials to the VNF/VNFC examples, and certification by when, the certificate request information of certificate is applied for according to being used for of being included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
- A kind of certificate acquisition equipment, it is characterised in that including:Signal receiver, the certificate request message for receiving virtual machine VM transmissions, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;Signal projector, for sending certificate request proxy message to certificate verification center CA, wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message;The signal receiver, is additionally operable to receive the certificate that the CA is signed and issued;The signal projector, is additionally operable to the certificate being sent to the VM, wherein, the certificate is by the CA according to being used to apply for that the certificate request information of certificate is obtained comprising the VM in the certificate request proxy message.
- Certificate acquisition equipment as claimed in claim 42, it is characterised in thatThe signal projector, sends certificate request proxy message, and the certificate request proxy message is forwarded into the CA by the VIM specifically for managing Virtual base facility VIM into virtual network function framework.
- Certificate acquisition equipment as described in claim 42 or 43, it is characterised in that the certificate acquisition equipment also includes:Processor, wherein:Processor, for when the VM receives the certificate, the management passage set up between the VM and the VM management equipment.
- Certificate acquisition equipment as described in claim 42 to 44 is any, it is characterised in that described Certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- Certificate acquisition equipment as claimed in claim 45, it is characterized in that, the public key is generated by the VM according to initiation parameter, wherein, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained by VIM when receiving the generation VM of virtualization network arrangements device NFVO transmissions.
- A kind of certificate acquisition equipment, it is characterised in that including:Signal receiver, certificate request message for receiving the transmission of VNF/VNFC examples, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request message, the checking information is used for described set up between VNF/VNFC examples and control device and applies for certificate passage;Signal projector, for being verified using the checking information received to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
- Certificate acquisition equipment as claimed in claim 47, it is characterized in that, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition equipment as claimed in claim 47, it is characterized in that, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition equipment as claimed in claim 49, it is characterised in that the pre-share information at least includes following one kind:Wildcard PSK, username and password Password, token token.
- Certificate acquisition equipment as described in any one of claim 47 to 50, it is characterised in that the control device is virtualization network function management equipment VNFM.
- Certificate acquisition equipment as described in any one of claim 47 to 50, it is characterized in that, when the control device is virtualization network arrangements device NFVO, the signal receiver, specifically for receiving the certificate request message that virtualization network function management equipment VNFM is sent, wherein, the certificate request message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
- Certificate acquisition equipment as described in any one of claim 47 to 52, it is characterised in that the certificate acquisition equipment, in addition to:Processor, wherein:Processor, for when the certificate is sent into the VNF/VNFC examples, utilizing the management passage between certificate foundation and the VNF/VNFC examples.
- Certificate acquisition equipment as described in any one of claim 47 to 53, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- A kind of certificate acquisition method, it is characterised in that including:Control device receives the certificate request proxy message that VNF/VNFC examples are sent, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request proxy message, the checking information is used to set up agent application certificate passage between the VNF/VNFC examples and the control device;The control device is verified using the checking information to the VNF/VNFC examples, and when being verified, certificate request message is sent to certificate verification center CA, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;The control device receives the certificate that the CA is signed and issued, and the certificate is sent into the VNF/VNFC examples, wherein, the certificate is that the certificate request information that the CA is used to apply certificate according to being included in the certificate request message is generated.
- Certificate acquisition method as claimed in claim 55, it is characterized in that, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition method as claimed in claim 55, it is characterized in that, when the checking information is pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition method as claimed in claim 57, it is characterised in that the pre-share information at least includes following one kind:Wildcard PSK, username and password Password, token token.
- Certificate acquisition method as described in any one of claim 55 to 58, it is characterised in that the control device is virtualization network function management equipment VNFM.
- Certificate acquisition method as described in any one of claim 55 to 58, it is characterised in that when the control device is virtualization network arrangements device NFVO, control device receives the certificate request proxy message that VNF/VNFC examples are sent, including:The NFVO receives the certificate request proxy message that virtualization network function management equipment VNFM is sent, wherein, the certificate request proxy message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
- Method as described in any one of claim 55 to 60, it is characterised in that methods described also includes:The control device by the certificate when being sent to the VNF/VNFC examples, the management passage set up using the certificate between the VNF/VNFC examples.
- Certificate acquisition method as described in any one of claim 55 to 61, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- A kind of certificate acquisition method, it is characterised in that including:Virtualize network function VNF management equipments VNFM and receive management Virtual base facility VIM transmission certificate request proxy messages in VNF frameworks, wherein, the VNF comprising request application certificate in the certificate request proxy message is identified and is identified the certificate request information that corresponding VNF applies for certificate for the VNF;Or, the VNFC instance identifications and the certificate request information for the corresponding VNFC examples application certificate of the VNFC instance identifications of request application certificate;The VNFM sends certificate request message to certificate verification center CA, wherein, the certificate request information VNF/VNFC examples for applying for certificate is included in the certificate request message;The VNFM receives the certificate that the CA is signed and issued, and the certificate is sent into the VIM, wherein, the certificate is that the CA is used to apply for that the certificate request information of certificate is generated according to the VNF/VNFC examples included in the certificate request information.
- Certificate acquisition method as described in claim 63, it is characterized in that, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the VM is sent to by the VNF/VNFC examples, then by the escape way between the VIM it is sent to the VIM's by the VM.
- Certificate acquisition method as described in claim 63, it is characterized in that, the certificate request proxy message is to be generated by the VIM according to the certificate request information received, wherein, the certificate request information is obtained by the VNF/VNFC examples according to initiation parameter, and the NFV infrastructure NFVI is sent to by the VNF/VNFC examples, then it is sent to the VIM's by the escape way between the NFVI and the VIM.
- Certificate acquisition method as described in any one of claim 63 to 65, it is characterised in that institute State initiation parameter and include CA information, the domain name in certificate management domain, the initiation parameter is obtained when being determined by virtualization network arrangements device NFVO or VNFM and instantiated the VNF/VNFC examples.
- Certificate acquisition method as described in any one of claim 63 to 66, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- A kind of certificate acquisition method, it is characterised in that including:Certificate verification center CA receives the certificate request message that virtualization network function VNF/VNFC examples are sent, wherein, temporary credentials and the certificate request information for applying for certificate are included in the certificate request message, the temporary credentials is applied when determining to need to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO/ virtualizations network function management equipment VNFM from the CA, or the NFVO determines what is applied when needing to instantiate the VNF/VNFC examples from the VNFM, and via management Virtual base facility VIM in VNF frameworks, NFV infrastructure NFVI injects the virtual machine VM that the VNF/VNFC examples are entered;The CA is authenticated using the temporary credentials to the VNF/VNFC examples, and certification by when, the certificate request information of certificate is applied for according to being used for of being included in the certificate request message, grant a certificate gives the VNF/VNFC examples.
- A kind of certificate acquisition method, it is characterised in that including:Virtual network function infrastructure device NFVI receives the certificate request message that virtual machine VM is sent, wherein, the certificate request information for being used for applying for certificate is included in the certificate request message;The NFVI sends certificate request proxy message to certificate verification center CA, wherein, the certificate request information VM for applying for certificate is included in the certificate request proxy message;The NFVI receives the certificate that the CA is signed and issued, and the certificate is sent into the VM, wherein, the certificate is by the CA according to being used to applying what the certificate request information of certificate was obtained comprising the VM in the certificate request proxy message.
- Certificate acquisition method as described in claim 69, it is characterised in that the NFVI sends certificate request proxy message to CA, including:The NFVI manages Virtual base facility VIM into virtual network function framework and sends certificate request Proxy message, and the certificate request proxy message is forwarded to CA by the VIM.
- Certificate acquisition method as described in claim 69 or 70, it is characterised in that methods described also includes:When the VM receives the certificate, the management passage set up between the VM and the VM management equipment.
- Certificate acquisition method as described in any one of claim 69 to 71, it is characterised in that described certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
- Certificate acquisition method as described in claim 72, it is characterized in that, the public key is generated by the VM according to initiation parameter, wherein, the initiation parameter includes CA information, the domain name in certificate management domain, and the initiation parameter is obtained by VIM when receiving the generation VM of virtualization network arrangements device NFVO transmissions.
- A kind of certificate acquisition method, it is characterised in that including:Control device receives the certificate request message that VNF/VNFC examples are sent, wherein, checking information and the certificate request information for applying for certificate are included in the certificate request message, the checking information is used for described set up between VNF/VNFC examples and the control device and applies for certificate passage;The control device is verified using the checking information received to the VNF/VNFC examples, and when being verified, the VNF/VNFC examples are sent to according to the certificate request information grant a certificate received, and by the certificate.
- Certificate acquisition method as described in claim 74, it is characterized in that, when the checking information is temporary credentials, temporary credentials application from virtualization network function management equipment VNFM when it is determined that needing to instantiate the VNF/VNFC examples by virtualization network arrangements device NFVO, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the temporary credentials is generated when being determined by the VNFM and needed and instantiate the VNF/VNFC examples, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition method as described in claim 74, it is characterised in that the checking information is During pre-share information, the pre-share information is generated when being determined by virtualization network arrangements device NFVO and needed and instantiate the VNF/VNFC examples, or apply from VNFM, and inject the virtual machine VM that the VNF/VNFC examples are entered via Virtual base facility VIM, NFV infrastructure NFVI is managed in VNF frameworks;Or, the pre-share information is generated when determining to need to instantiate the VNF by the VNFM, and injects the VM that the VNF/VNFC examples are entered via VIM, NFVI.
- Certificate acquisition method as described in claim 76, it is characterised in that the pre-share information at least includes following one kind:Wildcard PSK, username and password Password, token token.
- Certificate acquisition method as described in any one of claim 74 to 77, it is characterised in that the control device is virtualization network function management equipment VNFM.
- Certificate acquisition method as described in any one of claim 74 to 77, it is characterised in that when the control device is virtualization network arrangements device NFVO, control device receives the certificate request message that VNF/VNFC examples are sent, including:The NFVO receives the certificate request message that virtualization network function management equipment VNFM is sent, wherein, the certificate request message is sent by VNF/VNFC examples, and is obtained through VNFM forwardings.
- Certificate acquisition method as described in any one of claim 74 to 79, it is characterised in that methods described also includes:The control device by the certificate when being sent to the VNF/VNFC examples, the management passage set up using the certificate between the VNF/VNFC examples.
- Certificate acquisition method as described in any one of claim 74 to 80, it is characterised in that the certificate request information includes:Corresponding public key in the public private key pair of VNF/VNFC examples generation, and at least one of certificate format, domain name, certificate verification central information or a variety of.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2014/077075 WO2015168914A1 (en) | 2014-05-08 | 2014-05-08 | Certificate acquisition method and device |
| CNPCT/CN2014/077075 | 2014-05-08 | ||
| PCT/CN2015/074598 WO2015169126A1 (en) | 2014-05-08 | 2015-03-19 | Certificate acquisition method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106464495A true CN106464495A (en) | 2017-02-22 |
| CN106464495B CN106464495B (en) | 2020-02-21 |
Family
ID=54392000
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201480011377.5A Active CN105284091B (en) | 2014-05-08 | 2014-05-08 | A kind of certificate acquisition method and apparatus |
| CN201580024220.0A Active CN106464495B (en) | 2014-05-08 | 2015-03-19 | Certificate acquisition method and equipment |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201480011377.5A Active CN105284091B (en) | 2014-05-08 | 2014-05-08 | A kind of certificate acquisition method and apparatus |
Country Status (8)
| Country | Link |
|---|---|
| US (1) | US10225246B2 (en) |
| EP (1) | EP3133789B1 (en) |
| JP (1) | JP6299047B2 (en) |
| KR (1) | KR101942412B1 (en) |
| CN (2) | CN105284091B (en) |
| BR (1) | BR112016026035B1 (en) |
| RU (1) | RU2658172C2 (en) |
| WO (2) | WO2015168914A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107302544A (en) * | 2017-08-15 | 2017-10-27 | 迈普通信技术股份有限公司 | Certificate request method, wireless access control equipment and wireless access point device |
| CN108540301A (en) * | 2017-03-03 | 2018-09-14 | 华为技术有限公司 | A kind of the cryptographic initialization method and relevant device of prearranged account |
| CN113872765A (en) * | 2020-06-30 | 2021-12-31 | 华为技术有限公司 | Identity credential application method, identity authentication method, equipment and device |
Families Citing this family (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| BR112016026037B1 (en) | 2014-05-08 | 2023-04-04 | Huawei Technologies Co., Ltd | CERTIFICATE ACQUISITION DEVICE |
| WO2015168914A1 (en) * | 2014-05-08 | 2015-11-12 | 华为技术有限公司 | Certificate acquisition method and device |
| US9386001B1 (en) | 2015-03-02 | 2016-07-05 | Sprint Communications Company L.P. | Border gateway protocol (BGP) communications over trusted network function virtualization (NFV) hardware |
| US9578008B2 (en) * | 2015-05-11 | 2017-02-21 | Intel Corporation | Technologies for secure bootstrapping of virtual network functions |
| US10069844B2 (en) | 2016-07-21 | 2018-09-04 | Sprint Communications Company L.P. | Virtual network function (VNF) hardware trust in a network function virtualization (NFV) software defined network (SDN) |
| CN106302394B (en) * | 2016-07-26 | 2019-08-30 | 京信通信系统(中国)有限公司 | Safe channel establishing method and system |
| WO2018040095A1 (en) * | 2016-09-05 | 2018-03-08 | 华为技术有限公司 | Method and device for generating security credential |
| US10318723B1 (en) * | 2016-11-29 | 2019-06-11 | Sprint Communications Company L.P. | Hardware-trusted network-on-chip (NOC) and system-on-chip (SOC) network function virtualization (NFV) data communications |
| CN110121857B (en) * | 2016-12-30 | 2021-02-09 | 华为技术有限公司 | Credential distribution method and device |
| EP3550781B1 (en) * | 2016-12-30 | 2021-02-17 | Huawei Technologies Co., Ltd. | Private information distribution method and device |
| CN108809907B (en) * | 2017-05-04 | 2021-05-11 | 华为技术有限公司 | Certificate request message sending method, receiving method and device |
| CN109286494B (en) * | 2017-07-20 | 2020-10-23 | 华为技术有限公司 | Method and device for generating initialization credential of virtual network function VNF |
| CN109905252B (en) * | 2017-12-07 | 2022-06-07 | 华为技术有限公司 | Method and device for establishing virtual network function instance |
| US10762193B2 (en) * | 2018-05-09 | 2020-09-01 | International Business Machines Corporation | Dynamically generating and injecting trusted root certificates |
| PL3533178T3 (en) | 2018-11-07 | 2021-01-11 | Alibaba Group Holding Limited | Managing communications among consensus nodes and client nodes |
| US11095460B2 (en) | 2019-07-05 | 2021-08-17 | Advanced New Technologies Co., Ltd. | Certificate application operations |
| CN110445614B (en) * | 2019-07-05 | 2021-05-25 | 创新先进技术有限公司 | Certificate application method and device, terminal equipment, gateway equipment and server |
| JP7411774B2 (en) * | 2019-07-17 | 2024-01-11 | テレフオンアクチーボラゲット エルエム エリクソン(パブル) | Techniques for certificate handling in the core network domain |
| CN110769393B (en) * | 2019-11-07 | 2021-12-24 | 公安部交通管理科学研究所 | Identity authentication system and method for vehicle-road cooperation |
| CN110943996B (en) * | 2019-12-03 | 2022-03-22 | 迈普通信技术股份有限公司 | Management method, device and system for business encryption and decryption |
| US11522721B2 (en) * | 2020-04-07 | 2022-12-06 | Verizon Patent And Licensing Inc. | System and method for establishing dynamic trust credentials for network functions |
| CN114024678A (en) * | 2020-07-15 | 2022-02-08 | 中国移动通信有限公司研究院 | Information processing method and system and related device |
| US11436127B1 (en) * | 2020-09-10 | 2022-09-06 | Cisco Technology, Inc. | Automated validation and authentication of software modules |
| CN115942314A (en) * | 2021-08-06 | 2023-04-07 | 华为技术有限公司 | Certificate management method and device |
| WO2023213590A1 (en) * | 2022-05-05 | 2023-11-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Security certificate management during network function (nf) lifecycle |
| CN117318970A (en) * | 2022-06-23 | 2023-12-29 | 中兴通讯股份有限公司 | Secure channel establishment method, system and storage medium |
| CN117997543A (en) * | 2022-11-06 | 2024-05-07 | 华为技术有限公司 | Communication method, device and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008005090A (en) * | 2006-06-21 | 2008-01-10 | Nippon Telegr & Teleph Corp <Ntt> | System for issuing and verifying certificates of several open keys, and method for issuing and verifying certificates of several open keys |
| CN101754203A (en) * | 2009-12-25 | 2010-06-23 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| CN102663290A (en) * | 2012-03-23 | 2012-09-12 | 中国科学院软件研究所 | Method of digital right management based on virtual machine |
| CN103036854A (en) * | 2011-09-30 | 2013-04-10 | 中国移动通信集团公司 | Business ordering method and system, business authority authentication method and terminal device |
| US20130305042A1 (en) * | 2008-10-06 | 2013-11-14 | Olcorps Co., Ltd. | System and method for issuing digital certificate using encrypted image |
| WO2015169126A1 (en) * | 2014-05-08 | 2015-11-12 | 华为技术有限公司 | Certificate acquisition method and device |
Family Cites Families (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1379045B1 (en) * | 2002-07-01 | 2007-10-10 | Telefonaktiebolaget LM Ericsson (publ) | Arrangement and method for protecting end user data |
| RU2371757C2 (en) * | 2003-08-21 | 2009-10-27 | Майкрософт Корпорейшн | Systems and methods of data modelling in storage platform based on subjects |
| JP2005086445A (en) * | 2003-09-08 | 2005-03-31 | Nooza:Kk | Method, device and program for constructing network |
| US7321970B2 (en) * | 2003-12-30 | 2008-01-22 | Nokia Siemens Networks Oy | Method and system for authentication using infrastructureless certificates |
| US7467303B2 (en) * | 2004-03-25 | 2008-12-16 | International Business Machines Corporation | Grid mutual authorization through proxy certificate generation |
| JP2006246272A (en) | 2005-03-07 | 2006-09-14 | Fuji Xerox Co Ltd | Certificate acquisition system |
| US20080066181A1 (en) * | 2006-09-07 | 2008-03-13 | Microsoft Corporation | DRM aspects of peer-to-peer digital content distribution |
| US8214635B2 (en) * | 2006-11-28 | 2012-07-03 | Cisco Technology, Inc. | Transparent proxy of encrypted sessions |
| CN100488099C (en) * | 2007-11-08 | 2009-05-13 | 西安西电捷通无线网络通信有限公司 | Bidirectional access authentication method |
| US9065825B2 (en) * | 2010-02-05 | 2015-06-23 | International Business Machines Corporation | Method and system for license management |
| US9210162B2 (en) * | 2012-05-02 | 2015-12-08 | Microsoft Technology Licensing, Llc | Certificate based connection to cloud virtual machine |
| JP2014082584A (en) * | 2012-10-15 | 2014-05-08 | Nippon Registry Authentication Inc | Authentication base system |
| US9208350B2 (en) * | 2013-01-09 | 2015-12-08 | Jason Allen Sabin | Certificate information verification system |
| CN103475485B (en) * | 2013-09-16 | 2017-03-22 | 浙江汇信科技有限公司 | Identity authentication supporting platform and authentication method based on digital certificate interconnection and interworking |
| US20150156193A1 (en) * | 2013-12-02 | 2015-06-04 | Microsoft Corporation | Creating and managing certificates in a role-based certificate store |
| EP2942925B1 (en) * | 2014-05-05 | 2016-08-24 | Advanced Digital Broadcast S.A. | A method and system for providing a private network |
| US9961103B2 (en) * | 2014-10-28 | 2018-05-01 | International Business Machines Corporation | Intercepting, decrypting and inspecting traffic over an encrypted channel |
| US9769126B2 (en) * | 2015-01-07 | 2017-09-19 | AnchorFee Inc. | Secure personal server system and method |
| US20160277372A1 (en) * | 2015-03-17 | 2016-09-22 | Riverbed Technology, Inc. | Optimization of a secure connection with enhanced security for private cryptographic keys |
| US9854048B2 (en) * | 2015-06-29 | 2017-12-26 | Sprint Communications Company L.P. | Network function virtualization (NFV) hardware trust in data communication systems |
-
2014
- 2014-05-08 WO PCT/CN2014/077075 patent/WO2015168914A1/en active Application Filing
- 2014-05-08 EP EP14891493.0A patent/EP3133789B1/en active Active
- 2014-05-08 RU RU2016147697A patent/RU2658172C2/en active
- 2014-05-08 JP JP2017510714A patent/JP6299047B2/en active Active
- 2014-05-08 CN CN201480011377.5A patent/CN105284091B/en active Active
- 2014-05-08 BR BR112016026035-0A patent/BR112016026035B1/en active IP Right Grant
- 2014-05-08 KR KR1020167034284A patent/KR101942412B1/en active IP Right Grant
-
2015
- 2015-03-19 CN CN201580024220.0A patent/CN106464495B/en active Active
- 2015-03-19 WO PCT/CN2015/074598 patent/WO2015169126A1/en active Application Filing
-
2016
- 2016-11-08 US US15/346,357 patent/US10225246B2/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008005090A (en) * | 2006-06-21 | 2008-01-10 | Nippon Telegr & Teleph Corp <Ntt> | System for issuing and verifying certificates of several open keys, and method for issuing and verifying certificates of several open keys |
| US20130305042A1 (en) * | 2008-10-06 | 2013-11-14 | Olcorps Co., Ltd. | System and method for issuing digital certificate using encrypted image |
| CN101754203A (en) * | 2009-12-25 | 2010-06-23 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| CN103036854A (en) * | 2011-09-30 | 2013-04-10 | 中国移动通信集团公司 | Business ordering method and system, business authority authentication method and terminal device |
| CN102663290A (en) * | 2012-03-23 | 2012-09-12 | 中国科学院软件研究所 | Method of digital right management based on virtual machine |
| WO2015169126A1 (en) * | 2014-05-08 | 2015-11-12 | 华为技术有限公司 | Certificate acquisition method and device |
| CN105284091B (en) * | 2014-05-08 | 2018-06-15 | 华为技术有限公司 | A kind of certificate acquisition method and apparatus |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108540301A (en) * | 2017-03-03 | 2018-09-14 | 华为技术有限公司 | A kind of the cryptographic initialization method and relevant device of prearranged account |
| CN108540301B (en) * | 2017-03-03 | 2021-01-12 | 华为技术有限公司 | Password initialization method for preset account and related equipment |
| CN107302544A (en) * | 2017-08-15 | 2017-10-27 | 迈普通信技术股份有限公司 | Certificate request method, wireless access control equipment and wireless access point device |
| CN107302544B (en) * | 2017-08-15 | 2019-09-13 | 迈普通信技术股份有限公司 | Certificate request method, wireless access control equipment and wireless access point device |
| CN113872765A (en) * | 2020-06-30 | 2021-12-31 | 华为技术有限公司 | Identity credential application method, identity authentication method, equipment and device |
| CN113872765B (en) * | 2020-06-30 | 2023-02-03 | 华为技术有限公司 | Identity credential application method, identity authentication method, equipment and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015168914A1 (en) | 2015-11-12 |
| CN106464495B (en) | 2020-02-21 |
| KR101942412B1 (en) | 2019-01-25 |
| US20170054710A1 (en) | 2017-02-23 |
| CN105284091B (en) | 2018-06-15 |
| WO2015169126A1 (en) | 2015-11-12 |
| RU2658172C2 (en) | 2018-06-19 |
| BR112016026035B1 (en) | 2023-04-18 |
| RU2016147697A (en) | 2018-06-08 |
| US10225246B2 (en) | 2019-03-05 |
| BR112016026035A2 (en) | 2018-05-15 |
| CN105284091A (en) | 2016-01-27 |
| EP3133789A4 (en) | 2017-04-26 |
| EP3133789B1 (en) | 2019-01-30 |
| JP6299047B2 (en) | 2018-03-28 |
| EP3133789A1 (en) | 2017-02-22 |
| RU2016147697A3 (en) | 2018-06-08 |
| JP2017516434A (en) | 2017-06-15 |
| KR20170002577A (en) | 2017-01-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106464495A (en) | Certificate acquisition method and device | |
| CN105264818B (en) | A kind of certificate acquisition method and apparatus | |
| EP2842258B1 (en) | Multi-factor certificate authority | |
| CN110677240B (en) | Method, apparatus and medium for providing highly available computing services through certificate issuance | |
| CN106452782B (en) | Method and system for generating secure communication channel for terminal device | |
| CN104753881B (en) | A kind of WebService safety certification access control method based on software digital certificate and timestamp | |
| WO2022121461A1 (en) | Method, apparatus and device for constructing token for cloud platform resource access control | |
| US20110004767A1 (en) | bidirectional entity authentication method based on the credible third party | |
| CA3117713C (en) | Authorization with a preloaded certificate | |
| CN110677376A (en) | Authentication method, related device and system and computer readable storage medium | |
| CN108848496A (en) | Authentication method, TEE terminal and the management platform of virtual eSIM card based on TEE | |
| WO2022252992A1 (en) | User data authorization method and user data authorization system | |
| CN108965342A (en) | The method for authenticating and system of request of data side's access data source | |
| CN108234119B (en) | Digital certificate management method and platform | |
| CN114915418A (en) | Business certificate management method, device and system and electronic equipment | |
| CN105471579B (en) | A kind of trust login method and device | |
| CN107046539A (en) | The method to set up and device of a kind of application secure access | |
| CN110121857A (en) | A kind of method and apparatus of authority distribution | |
| TWI817162B (en) | Component-free signature system for mobile device and method thereof | |
| KR102162108B1 (en) | Lw_pki system for nfv environment and communication method using the same | |
| WO2022199569A1 (en) | Configuration method and apparatus for terminal device, and communication device | |
| Lakshmiraghavan | Ownership Factors | |
| Abd Aziz et al. | Identity credential issuance with trusted computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |